sentinelayer-cli 0.4.5 → 0.6.2

package/src/ai/identity-store.js

@@ -1,270 +1,270 @@
-import fsp from "node:fs/promises";
-import path from "node:path";
-
-const REGISTRY_SCHEMA_VERSION = "1.0.0";
-const TERMINAL_IDENTITY_STATUSES = new Set(["SQUASHED"]);
-
-function normalizeString(value) {
-  return String(value || "").trim();
-}
-
-function normalizeUpper(value) {
-  return normalizeString(value).toUpperCase();
-}
-
-function normalizeTagList(value) {
-  if (!Array.isArray(value)) {
-    return [];
-  }
-  const unique = new Set();
-  for (const item of value) {
-    const normalized = normalizeString(item);
-    if (normalized) {
-      unique.add(normalized);
-    }
-  }
-  return [...unique];
-}
-
-function normalizeLegalHoldStatus(value) {
-  const normalized = normalizeUpper(value);
-  if (!normalized) {
-    return "NONE";
-  }
-  if (normalized === "HOLD" || normalized === "NONE" || normalized === "UNKNOWN") {
-    return normalized;
-  }
-  return normalized;
-}
-
-function normalizeMetadata(value) {
-  const source = value && typeof value === "object" ? value : {};
-  return {
-    ...source,
-    tags: normalizeTagList(source.tags),
-    legalHoldStatus: normalizeLegalHoldStatus(source.legalHoldStatus),
-  };
-}
-
-function normalizeIdentityRecord(record = {}) {
-  const metadata = normalizeMetadata(record.metadata);
-  const legalHoldStatus = normalizeLegalHoldStatus(record.legalHoldStatus || metadata.legalHoldStatus);
-  return {
-    identityId: normalizeString(record.identityId),
-    parentIdentityId: normalizeString(record.parentIdentityId) || null,
-    emailAddress: normalizeString(record.emailAddress) || null,
-    status: normalizeString(record.status) || "UNKNOWN",
-    projectId: normalizeString(record.projectId) || null,
-    orgId: normalizeString(record.orgId) || null,
-    apiUrl: normalizeString(record.apiUrl) || null,
-    createdAt: normalizeString(record.createdAt) || new Date().toISOString(),
-    lastUpdatedAt: normalizeString(record.lastUpdatedAt) || new Date().toISOString(),
-    expiresAt: normalizeString(record.expiresAt) || null,
-    revokedAt: normalizeString(record.revokedAt) || null,
-    squashedAt: normalizeString(record.squashedAt) || null,
-    legalHoldStatus,
-    metadata,
-  };
-}
-
-export function resolveIdentityRegistryPath({ outputRoot } = {}) {
-  const resolvedOutputRoot = path.resolve(String(outputRoot || "."));
-  return path.join(resolvedOutputRoot, "aidenid", "identity-registry.json");
-}
-
-async function loadRegistryInternal(filePath) {
-  try {
-    const raw = await fsp.readFile(filePath, "utf-8");
-    const parsed = JSON.parse(raw);
-    const identities = Array.isArray(parsed.identities)
-      ? parsed.identities.map((item) => normalizeIdentityRecord(item)).filter((item) => item.identityId)
-      : [];
-    return {
-      schemaVersion: normalizeString(parsed.schemaVersion) || REGISTRY_SCHEMA_VERSION,
-      generatedAt: normalizeString(parsed.generatedAt) || new Date().toISOString(),
-      identities,
-    };
-  } catch (error) {
-    if (error && typeof error === "object" && error.code === "ENOENT") {
-      return {
-        schemaVersion: REGISTRY_SCHEMA_VERSION,
-        generatedAt: new Date().toISOString(),
-        identities: [],
-      };
-    }
-    throw error;
-  }
-}
-
-async function writeRegistryInternal(filePath, registry = {}) {
-  const normalized = {
-    schemaVersion: REGISTRY_SCHEMA_VERSION,
-    generatedAt: new Date().toISOString(),
-    identities: Array.isArray(registry.identities) ? registry.identities.map(normalizeIdentityRecord) : [],
-  };
-  await fsp.mkdir(path.dirname(filePath), { recursive: true });
-  await fsp.writeFile(filePath, `${JSON.stringify(normalized, null, 2)}\n`, "utf-8");
-  return normalized;
-}
-
-export async function listIdentities({ outputRoot } = {}) {
-  const registryPath = resolveIdentityRegistryPath({ outputRoot });
-  const registry = await loadRegistryInternal(registryPath);
-  return {
-    registryPath,
-    identities: registry.identities,
-  };
-}
-
-export async function getIdentityById({ outputRoot, identityId } = {}) {
-  const normalizedIdentityId = normalizeString(identityId);
-  if (!normalizedIdentityId) {
-    throw new Error("identityId is required.");
-  }
-  const { registryPath, identities } = await listIdentities({ outputRoot });
-  const identity = identities.find((item) => item.identityId === normalizedIdentityId) || null;
-  return {
-    registryPath,
-    identity,
-  };
-}
-
-export async function recordProvisionedIdentity({
-  outputRoot,
-  response = {},
-  context = {},
-} = {}) {
-  const registryPath = resolveIdentityRegistryPath({ outputRoot });
-  const registry = await loadRegistryInternal(registryPath);
-  const identityId = normalizeString(response.id);
-  if (!identityId) {
-    throw new Error("Cannot record identity without response.id.");
-  }
-
-  const nowIso = new Date().toISOString();
-  const source = normalizeString(context.source) || "provision-email";
-  const nextRecord = normalizeIdentityRecord({
-    identityId,
-    parentIdentityId: response.parentIdentityId || context.parentIdentityId || null,
-    emailAddress: response.emailAddress,
-    status: response.status || "ACTIVE",
-    projectId: response.projectId || context.projectId,
-    orgId: context.orgId,
-    apiUrl: context.apiUrl,
-    createdAt: nowIso,
-    lastUpdatedAt: nowIso,
-    expiresAt: response.expiresAt || null,
-    legalHoldStatus: response.legalHoldStatus || context.legalHoldStatus || "NONE",
-    metadata: {
-      source,
-      idempotencyKey: context.idempotencyKey || null,
-      eventBudget: context.eventBudget ?? null,
-      tags: normalizeTagList(context.tags || response.tags || []),
-      legalHoldStatus: response.legalHoldStatus || context.legalHoldStatus || "NONE",
-    },
-  });
-
-  const index = registry.identities.findIndex((item) => item.identityId === identityId);
-  if (index >= 0) {
-    const existing = registry.identities[index];
-    registry.identities[index] = normalizeIdentityRecord({
-      ...existing,
-      ...nextRecord,
-      createdAt: existing.createdAt || nextRecord.createdAt,
-      metadata: {
-        ...existing.metadata,
-        ...nextRecord.metadata,
-      },
-    });
-  } else {
-    registry.identities.push(nextRecord);
-  }
-
-  const saved = await writeRegistryInternal(registryPath, registry);
-  const identity = saved.identities.find((item) => item.identityId === identityId) || null;
-  return {
-    registryPath,
-    identity,
-  };
-}
-
-export async function updateIdentityStatus({
-  outputRoot,
-  identityId,
-  status,
-  revokedAt = "",
-  squashedAt = "",
-  metadataPatch = {},
-} = {}) {
-  const normalizedIdentityId = normalizeString(identityId);
-  if (!normalizedIdentityId) {
-    throw new Error("identityId is required.");
-  }
-  const nextStatus = normalizeString(status);
-  if (!nextStatus) {
-    throw new Error("status is required.");
-  }
-
-  const registryPath = resolveIdentityRegistryPath({ outputRoot });
-  const registry = await loadRegistryInternal(registryPath);
-  const index = registry.identities.findIndex((item) => item.identityId === normalizedIdentityId);
-  if (index < 0) {
-    throw new Error(`Identity '${normalizedIdentityId}' was not found in local registry.`);
-  }
-
-  const existing = registry.identities[index];
-  registry.identities[index] = normalizeIdentityRecord({
-    ...existing,
-    status: nextStatus,
-    revokedAt: normalizeString(revokedAt) || existing.revokedAt || null,
-    squashedAt: normalizeString(squashedAt) || existing.squashedAt || null,
-    legalHoldStatus: metadataPatch?.legalHoldStatus || existing.legalHoldStatus || "NONE",
-    lastUpdatedAt: new Date().toISOString(),
-    metadata: {
-      ...existing.metadata,
-      ...(metadataPatch && typeof metadataPatch === "object" ? metadataPatch : {}),
-    },
-  });
-
-  const saved = await writeRegistryInternal(registryPath, registry);
-  return {
-    registryPath,
-    identity: saved.identities[index],
-  };
-}
-
-export function filterIdentitiesByTags(identities = [], tags = []) {
-  const requestedTags = normalizeTagList(tags);
-  if (requestedTags.length === 0) {
-    return [...identities];
-  }
-  const required = new Set(requestedTags);
-  return identities.filter((identity) => {
-    const identityTags = normalizeTagList(identity?.metadata?.tags);
-    if (identityTags.length === 0) {
-      return false;
-    }
-    return [...required].every((tag) => identityTags.includes(tag));
-  });
-}
-
-export async function findStaleIdentities({ outputRoot, nowIso = new Date().toISOString() } = {}) {
-  const { registryPath, identities } = await listIdentities({ outputRoot });
-  const nowMs = new Date(nowIso).getTime();
-  const stale = identities.filter((identity) => {
-    const status = normalizeUpper(identity.status);
-    if (TERMINAL_IDENTITY_STATUSES.has(status)) {
-      return false;
-    }
-    const expiresAtMs = new Date(identity.expiresAt || "").getTime();
-    if (!Number.isFinite(expiresAtMs)) {
-      return false;
-    }
-    return expiresAtMs <= nowMs;
-  });
-  return {
-    registryPath,
-    identities,
-    stale,
-  };
-}
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+const REGISTRY_SCHEMA_VERSION = "1.0.0";
+const TERMINAL_IDENTITY_STATUSES = new Set(["SQUASHED"]);
+
+function normalizeString(value) {
+  return String(value || "").trim();
+}
+
+function normalizeUpper(value) {
+  return normalizeString(value).toUpperCase();
+}
+
+function normalizeTagList(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  const unique = new Set();
+  for (const item of value) {
+    const normalized = normalizeString(item);
+    if (normalized) {
+      unique.add(normalized);
+    }
+  }
+  return [...unique];
+}
+
+function normalizeLegalHoldStatus(value) {
+  const normalized = normalizeUpper(value);
+  if (!normalized) {
+    return "NONE";
+  }
+  if (normalized === "HOLD" || normalized === "NONE" || normalized === "UNKNOWN") {
+    return normalized;
+  }
+  return normalized;
+}
+
+function normalizeMetadata(value) {
+  const source = value && typeof value === "object" ? value : {};
+  return {
+    ...source,
+    tags: normalizeTagList(source.tags),
+    legalHoldStatus: normalizeLegalHoldStatus(source.legalHoldStatus),
+  };
+}
+
+function normalizeIdentityRecord(record = {}) {
+  const metadata = normalizeMetadata(record.metadata);
+  const legalHoldStatus = normalizeLegalHoldStatus(record.legalHoldStatus || metadata.legalHoldStatus);
+  return {
+    identityId: normalizeString(record.identityId),
+    parentIdentityId: normalizeString(record.parentIdentityId) || null,
+    emailAddress: normalizeString(record.emailAddress) || null,
+    status: normalizeString(record.status) || "UNKNOWN",
+    projectId: normalizeString(record.projectId) || null,
+    orgId: normalizeString(record.orgId) || null,
+    apiUrl: normalizeString(record.apiUrl) || null,
+    createdAt: normalizeString(record.createdAt) || new Date().toISOString(),
+    lastUpdatedAt: normalizeString(record.lastUpdatedAt) || new Date().toISOString(),
+    expiresAt: normalizeString(record.expiresAt) || null,
+    revokedAt: normalizeString(record.revokedAt) || null,
+    squashedAt: normalizeString(record.squashedAt) || null,
+    legalHoldStatus,
+    metadata,
+  };
+}
+
+export function resolveIdentityRegistryPath({ outputRoot } = {}) {
+  const resolvedOutputRoot = path.resolve(String(outputRoot || "."));
+  return path.join(resolvedOutputRoot, "aidenid", "identity-registry.json");
+}
+
+async function loadRegistryInternal(filePath) {
+  try {
+    const raw = await fsp.readFile(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    const identities = Array.isArray(parsed.identities)
+      ? parsed.identities.map((item) => normalizeIdentityRecord(item)).filter((item) => item.identityId)
+      : [];
+    return {
+      schemaVersion: normalizeString(parsed.schemaVersion) || REGISTRY_SCHEMA_VERSION,
+      generatedAt: normalizeString(parsed.generatedAt) || new Date().toISOString(),
+      identities,
+    };
+  } catch (error) {
+    if (error && typeof error === "object" && error.code === "ENOENT") {
+      return {
+        schemaVersion: REGISTRY_SCHEMA_VERSION,
+        generatedAt: new Date().toISOString(),
+        identities: [],
+      };
+    }
+    throw error;
+  }
+}
+
+async function writeRegistryInternal(filePath, registry = {}) {
+  const normalized = {
+    schemaVersion: REGISTRY_SCHEMA_VERSION,
+    generatedAt: new Date().toISOString(),
+    identities: Array.isArray(registry.identities) ? registry.identities.map(normalizeIdentityRecord) : [],
+  };
+  await fsp.mkdir(path.dirname(filePath), { recursive: true });
+  await fsp.writeFile(filePath, `${JSON.stringify(normalized, null, 2)}\n`, "utf-8");
+  return normalized;
+}
+
+export async function listIdentities({ outputRoot } = {}) {
+  const registryPath = resolveIdentityRegistryPath({ outputRoot });
+  const registry = await loadRegistryInternal(registryPath);
+  return {
+    registryPath,
+    identities: registry.identities,
+  };
+}
+
+export async function getIdentityById({ outputRoot, identityId } = {}) {
+  const normalizedIdentityId = normalizeString(identityId);
+  if (!normalizedIdentityId) {
+    throw new Error("identityId is required.");
+  }
+  const { registryPath, identities } = await listIdentities({ outputRoot });
+  const identity = identities.find((item) => item.identityId === normalizedIdentityId) || null;
+  return {
+    registryPath,
+    identity,
+  };
+}
+
+export async function recordProvisionedIdentity({
+  outputRoot,
+  response = {},
+  context = {},
+} = {}) {
+  const registryPath = resolveIdentityRegistryPath({ outputRoot });
+  const registry = await loadRegistryInternal(registryPath);
+  const identityId = normalizeString(response.id);
+  if (!identityId) {
+    throw new Error("Cannot record identity without response.id.");
+  }
+
+  const nowIso = new Date().toISOString();
+  const source = normalizeString(context.source) || "provision-email";
+  const nextRecord = normalizeIdentityRecord({
+    identityId,
+    parentIdentityId: response.parentIdentityId || context.parentIdentityId || null,
+    emailAddress: response.emailAddress,
+    status: response.status || "ACTIVE",
+    projectId: response.projectId || context.projectId,
+    orgId: context.orgId,
+    apiUrl: context.apiUrl,
+    createdAt: nowIso,
+    lastUpdatedAt: nowIso,
+    expiresAt: response.expiresAt || null,
+    legalHoldStatus: response.legalHoldStatus || context.legalHoldStatus || "NONE",
+    metadata: {
+      source,
+      idempotencyKey: context.idempotencyKey || null,
+      eventBudget: context.eventBudget ?? null,
+      tags: normalizeTagList(context.tags || response.tags || []),
+      legalHoldStatus: response.legalHoldStatus || context.legalHoldStatus || "NONE",
+    },
+  });
+
+  const index = registry.identities.findIndex((item) => item.identityId === identityId);
+  if (index >= 0) {
+    const existing = registry.identities[index];
+    registry.identities[index] = normalizeIdentityRecord({
+      ...existing,
+      ...nextRecord,
+      createdAt: existing.createdAt || nextRecord.createdAt,
+      metadata: {
+        ...existing.metadata,
+        ...nextRecord.metadata,
+      },
+    });
+  } else {
+    registry.identities.push(nextRecord);
+  }
+
+  const saved = await writeRegistryInternal(registryPath, registry);
+  const identity = saved.identities.find((item) => item.identityId === identityId) || null;
+  return {
+    registryPath,
+    identity,
+  };
+}
+
+export async function updateIdentityStatus({
+  outputRoot,
+  identityId,
+  status,
+  revokedAt = "",
+  squashedAt = "",
+  metadataPatch = {},
+} = {}) {
+  const normalizedIdentityId = normalizeString(identityId);
+  if (!normalizedIdentityId) {
+    throw new Error("identityId is required.");
+  }
+  const nextStatus = normalizeString(status);
+  if (!nextStatus) {
+    throw new Error("status is required.");
+  }
+
+  const registryPath = resolveIdentityRegistryPath({ outputRoot });
+  const registry = await loadRegistryInternal(registryPath);
+  const index = registry.identities.findIndex((item) => item.identityId === normalizedIdentityId);
+  if (index < 0) {
+    throw new Error(`Identity '${normalizedIdentityId}' was not found in local registry.`);
+  }
+
+  const existing = registry.identities[index];
+  registry.identities[index] = normalizeIdentityRecord({
+    ...existing,
+    status: nextStatus,
+    revokedAt: normalizeString(revokedAt) || existing.revokedAt || null,
+    squashedAt: normalizeString(squashedAt) || existing.squashedAt || null,
+    legalHoldStatus: metadataPatch?.legalHoldStatus || existing.legalHoldStatus || "NONE",
+    lastUpdatedAt: new Date().toISOString(),
+    metadata: {
+      ...existing.metadata,
+      ...(metadataPatch && typeof metadataPatch === "object" ? metadataPatch : {}),
+    },
+  });
+
+  const saved = await writeRegistryInternal(registryPath, registry);
+  return {
+    registryPath,
+    identity: saved.identities[index],
+  };
+}
+
+export function filterIdentitiesByTags(identities = [], tags = []) {
+  const requestedTags = normalizeTagList(tags);
+  if (requestedTags.length === 0) {
+    return [...identities];
+  }
+  const required = new Set(requestedTags);
+  return identities.filter((identity) => {
+    const identityTags = normalizeTagList(identity?.metadata?.tags);
+    if (identityTags.length === 0) {
+      return false;
+    }
+    return [...required].every((tag) => identityTags.includes(tag));
+  });
+}
+
+export async function findStaleIdentities({ outputRoot, nowIso = new Date().toISOString() } = {}) {
+  const { registryPath, identities } = await listIdentities({ outputRoot });
+  const nowMs = new Date(nowIso).getTime();
+  const stale = identities.filter((identity) => {
+    const status = normalizeUpper(identity.status);
+    if (TERMINAL_IDENTITY_STATUSES.has(status)) {
+      return false;
+    }
+    const expiresAtMs = new Date(identity.expiresAt || "").getTime();
+    if (!Number.isFinite(expiresAtMs)) {
+      return false;
+    }
+    return expiresAtMs <= nowMs;
+  });
+  return {
+    registryPath,
+    identities,
+    stale,
+  };
+}

package/src/ai/proxy.js

@@ -0,0 +1,137 @@
+/**
+ * SentinelLayer LLM proxy provider.
+ *
+ * Routes LLM calls through POST /api/v1/proxy/llm using the stored
+ * sentinelayer_token. Users never need their own OpenAI/Anthropic key.
+ *
+ * Request:  { model, system_prompt, user_content, max_tokens, temperature }
+ * Response: { content, usage: { model, provider, tokens_in, tokens_out, cost_usd, latency_ms } }
+ */
+
+import { resolveActiveAuthSession } from "../auth/service.js";
+import { authLoginHint } from "../ui/command-hints.js";
+
+const DEFAULT_PROXY_MODEL = "gpt-5.3-codex";
+const PROXY_TIMEOUT_MS = 120_000;
+const PROXY_MAX_RETRIES = 2;
+const PROXY_RETRY_STATUSES = new Set([429, 502, 503, 504]);
+
+/**
+ * Invoke LLM via SentinelLayer proxy.
+ *
+ * @param {object} options
+ * @param {string} options.prompt - The user content / prompt text
+ * @param {string} [options.systemPrompt] - System prompt
+ * @param {string} [options.model] - Model ID (default: gpt-5.3-codex)
+ * @param {number} [options.maxTokens] - Max output tokens (default: 4096)
+ * @param {number} [options.temperature] - Temperature (default: 0.1)
+ * @param {string} [options.apiUrl] - Override API URL
+ * @param {string} [options.token] - Override Bearer token
+ * @returns {Promise<{ text: string, usage: { inputTokens: number, outputTokens: number, costUsd: number, model: string, provider: string, latencyMs: number } }>}
+ */
+export async function invokeViaProxy({
+  prompt,
+  systemPrompt = "",
+  model = DEFAULT_PROXY_MODEL,
+  maxTokens = 4096,
+  temperature = 0.1,
+  apiUrl = "",
+  token = "",
+} = {}) {
+  // Resolve credentials from session if not provided
+  let resolvedApiUrl = String(apiUrl || "").trim();
+  let resolvedToken = String(token || "").trim();
+
+  if (!resolvedApiUrl || !resolvedToken) {
+    const session = await resolveActiveAuthSession({
+      cwd: process.cwd(),
+      env: process.env,
+      autoRotate: false,
+    });
+    if (!session || !session.token) {
+      throw new Error(
+        `SentinelLayer LLM proxy requires authentication. Run '${authLoginHint()}' first.`
+      );
+    }
+    if (!resolvedApiUrl) resolvedApiUrl = String(session.apiUrl || "https://api.sentinelayer.com").trim();
+    if (!resolvedToken) resolvedToken = String(session.token).trim();
+  }
+
+  const url = `${resolvedApiUrl.replace(/\/+$/, "")}/api/v1/proxy/llm`;
+
+  const body = JSON.stringify({
+    model,
+    system_prompt: systemPrompt || "You are a code reviewer.",
+    user_content: String(prompt || ""),
+    max_tokens: maxTokens,
+    temperature,
+  });
+
+  let response = null;
+  let lastError = null;
+
+  for (let attempt = 0; attempt <= PROXY_MAX_RETRIES; attempt++) {
+    try {
+      const controller = new AbortController();
+      const timeoutHandle = setTimeout(() => controller.abort(), PROXY_TIMEOUT_MS);
+      try {
+        response = await fetch(url, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${resolvedToken}`,
+            Accept: "application/json",
+          },
+          body,
+          signal: controller.signal,
+        });
+      } finally {
+        clearTimeout(timeoutHandle);
+      }
+
+      if (PROXY_RETRY_STATUSES.has(response.status) && attempt < PROXY_MAX_RETRIES) {
+        const retryAfter = response.headers.get("Retry-After");
+        const delay = retryAfter && !isNaN(retryAfter) ? Math.min(Number(retryAfter), 5) * 1000 : 500 * (attempt + 1);
+        await new Promise((r) => setTimeout(r, delay));
+        continue;
+      }
+
+      break;
+    } catch (err) {
+      lastError = err;
+      if (attempt >= PROXY_MAX_RETRIES) break;
+      await new Promise((r) => setTimeout(r, 500 * (attempt + 1)));
+    }
+  }
+
+  if (!response) {
+    throw new Error(`SentinelLayer LLM proxy request failed: ${lastError?.message || "no response"}`);
+  }
+
+  if (!response.ok) {
+    let detail = "";
+    try {
+      const errBody = await response.json();
+      detail = errBody?.error?.message || errBody?.detail || JSON.stringify(errBody).slice(0, 200);
+    } catch {
+      detail = await response.text().catch(() => "");
+    }
+    throw new Error(`SentinelLayer LLM proxy error (${response.status}): ${detail}`);
+  }
+
+  const result = await response.json();
+
+  return {
+    text: String(result.content || ""),
+    usage: {
+      inputTokens: result.usage?.tokens_in || 0,
+      outputTokens: result.usage?.tokens_out || 0,
+      costUsd: result.usage?.cost_usd || 0,
+      model: result.usage?.model || model,
+      provider: result.usage?.provider || "sentinelayer",
+      latencyMs: result.usage?.latency_ms || 0,
+    },
+  };
+}
+
+export { DEFAULT_PROXY_MODEL };