sentinelayer-cli 0.8.0 → 0.8.1

package/src/daemon/artifact-lineage.js

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import fsp from "node:fs/promises";
 import path from "node:path";
 
@@ -6,6 +7,7 @@ import { getBudgetHealthColor, resolveOperatorControlStorage } from "./operator-
 import { listBudgetStates, resolveBudgetGovernorStorage } from "./budget-governor.js";
 import { listErrorQueue, resolveErrorDaemonStorage, WORK_ITEM_STATUSES } from "./error-worker.js";
 import { listJiraIssues, resolveJiraLifecycleStorage } from "./jira-lifecycle.js";
+import { resolveSessionPaths } from "../session/paths.js";
 
 const LINEAGE_SCHEMA_VERSION = "1.0.0";
 const WORK_ITEM_STATUS_SET = new Set(WORK_ITEM_STATUSES);
@@ -46,6 +48,348 @@ function toRelativePosix(baseDir, absolutePath) {
   return toPosixPath(relative);
 }
 
+function normalizeDateKey(value = "", fallbackIso = new Date().toISOString()) {
+  const normalized = normalizeString(value);
+  if (normalized && /^\d{4}-\d{2}-\d{2}$/.test(normalized)) {
+    return normalized;
+  }
+  return normalizeIsoTimestamp(normalized, fallbackIso).slice(0, 10);
+}
+
+function buildDayKey(nowIso = new Date().toISOString()) {
+  return normalizeDateKey(nowIso, nowIso);
+}
+
+function normalizeStringArray(values = []) {
+  if (!Array.isArray(values)) {
+    return [];
+  }
+  return Array.from(
+    new Set(
+      values
+        .map((value) => normalizeString(value))
+        .filter(Boolean)
+    )
+  );
+}
+
+async function readFileBufferOptional(filePath) {
+  try {
+    return await fsp.readFile(filePath);
+  } catch (error) {
+    if (error && typeof error === "object" && error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+
+async function hashFileSha256(filePath) {
+  const payload = await fsp.readFile(filePath);
+  return createHash("sha256").update(payload).digest("hex");
+}
+
+function resolveWorkItemArtifactDir(storage, workItemId, date) {
+  return path.join(
+    storage.observabilityRoot,
+    normalizeDateKey(date, new Date().toISOString()),
+    normalizeString(workItemId)
+  );
+}
+
+function canonicalizeArtifactRecords(artifactFiles = []) {
+  return artifactFiles
+    .map((artifact) => ({
+      name: normalizeString(artifact.name),
+      path: toPosixPath(normalizeString(artifact.path)),
+      sha256: normalizeString(artifact.sha256).toLowerCase(),
+      sizeBytes: Number(artifact.sizeBytes || 0),
+    }))
+    .sort((left, right) => left.path.localeCompare(right.path));
+}
+
+function buildCloseoutAnchorPayload({
+  workItemId,
+  sessionId,
+  date,
+  artifacts = [],
+  sessionStream = null,
+  cosignAttestationRef = "",
+  sbomRef = "",
+  evidenceLinks = [],
+} = {}) {
+  return {
+    workItemId: normalizeString(workItemId),
+    sessionId: normalizeString(sessionId) || null,
+    date: normalizeDateKey(date, new Date().toISOString()),
+    artifacts: canonicalizeArtifactRecords(artifacts),
+    sessionStream: sessionStream
+      ? {
+          path: toPosixPath(normalizeString(sessionStream.path)),
+          sha256: normalizeString(sessionStream.sha256).toLowerCase(),
+          sizeBytes: Number(sessionStream.sizeBytes || 0),
+        }
+      : null,
+    cosignAttestationRef: normalizeString(cosignAttestationRef) || null,
+    sbomRef: normalizeString(sbomRef) || null,
+    evidenceLinks: normalizeStringArray(evidenceLinks).sort((left, right) =>
+      left.localeCompare(right)
+    ),
+  };
+}
+
+function computeAnchorSha256(payload = {}) {
+  return createHash("sha256")
+    .update(JSON.stringify(payload))
+    .digest("hex");
+}
+
+function resolveArtifactAbsolutePath(storage, artifactPath = "") {
+  const normalized = normalizeString(artifactPath);
+  if (!normalized) {
+    return "";
+  }
+  if (path.isAbsolute(normalized)) {
+    return normalized;
+  }
+  return path.join(storage.outputRoot, normalized);
+}
+
+async function resolveSessionStreamDigest(sessionId, { targetPath = "." } = {}) {
+  const normalizedSessionId = normalizeString(sessionId);
+  if (!normalizedSessionId) {
+    return null;
+  }
+
+  const sessionPaths = resolveSessionPaths(normalizedSessionId, { targetPath });
+  const [rotatedBuffer, streamBuffer] = await Promise.all([
+    readFileBufferOptional(sessionPaths.rotatedStreamPath),
+    readFileBufferOptional(sessionPaths.streamPath),
+  ]);
+  if (!rotatedBuffer && !streamBuffer) {
+    return null;
+  }
+
+  const hash = createHash("sha256");
+  let totalBytes = 0;
+  if (rotatedBuffer) {
+    hash.update(rotatedBuffer);
+    totalBytes += rotatedBuffer.length;
+  }
+  if (streamBuffer) {
+    hash.update(streamBuffer);
+    totalBytes += streamBuffer.length;
+  }
+  return {
+    path: toPosixPath(path.relative(path.resolve(String(targetPath || ".")), sessionPaths.streamPath)),
+    sha256: hash.digest("hex"),
+    sizeBytes: totalBytes,
+  };
+}
+
+export async function writeCloseoutArtifact({
+  workItemId,
+  sessionId = "",
+  date = "",
+  targetPath = ".",
+  outputDir = "",
+  env,
+  homeDir,
+  nowIso = new Date().toISOString(),
+  cosignAttestationRef = "",
+  sbomRef = "",
+  evidenceLinks = [],
+  chainVerified = true,
+} = {}) {
+  const normalizedWorkItemId = normalizeString(workItemId);
+  if (!normalizedWorkItemId) {
+    throw new Error("workItemId is required.");
+  }
+  const normalizedTargetPath = path.resolve(String(targetPath || "."));
+  const normalizedNow = normalizeIsoTimestamp(nowIso, new Date().toISOString());
+  const storage = await resolveArtifactLineageStorage({
+    targetPath: normalizedTargetPath,
+    outputDir,
+    env,
+    homeDir,
+  });
+  const dateKey = normalizeDateKey(date, normalizedNow);
+  const artifactDir = resolveWorkItemArtifactDir(storage, normalizedWorkItemId, dateKey);
+  await fsp.mkdir(artifactDir, { recursive: true });
+  const closeoutPath = path.join(artifactDir, "closeout.json");
+
+  const entries = await fsp.readdir(artifactDir, { withFileTypes: true }).catch((error) => {
+    if (error && typeof error === "object" && error.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  });
+  const artifactFiles = [];
+  for (const entry of entries) {
+    if (!entry.isFile()) {
+      continue;
+    }
+    const lower = entry.name.toLowerCase();
+    if (lower === "closeout.json") {
+      continue;
+    }
+    const absolutePath = path.join(artifactDir, entry.name);
+    const stat = await fsp.stat(absolutePath);
+    artifactFiles.push({
+      name: entry.name,
+      path: toRelativePosix(storage.outputRoot, absolutePath),
+      sha256: await hashFileSha256(absolutePath),
+      sizeBytes: Number(stat.size || 0),
+    });
+  }
+  const sessionStream = await resolveSessionStreamDigest(normalizeString(sessionId), {
+    targetPath: normalizedTargetPath,
+  });
+  const anchorPayload = buildCloseoutAnchorPayload({
+    workItemId: normalizedWorkItemId,
+    sessionId,
+    date: dateKey,
+    artifacts: artifactFiles,
+    sessionStream,
+    cosignAttestationRef,
+    sbomRef,
+    evidenceLinks,
+  });
+  const anchorSha256 = computeAnchorSha256(anchorPayload);
+  const payload = {
+    schemaVersion: "1.0.0",
+    generatedAt: normalizedNow,
+    chainVerified: Boolean(chainVerified),
+    workItemId: normalizedWorkItemId,
+    sessionId: normalizeString(sessionId) || null,
+    date: dateKey,
+    artifactDir: toRelativePosix(storage.outputRoot, artifactDir),
+    artifacts: canonicalizeArtifactRecords(artifactFiles),
+    sessionStream,
+    cosignAttestationRef: normalizeString(cosignAttestationRef) || null,
+    sbomRef: normalizeString(sbomRef) || null,
+    evidenceLinks: normalizeStringArray(evidenceLinks).sort((left, right) =>
+      left.localeCompare(right)
+    ),
+    anchorSha256,
+  };
+  await writeJsonFile(closeoutPath, payload);
+  return {
+    closeoutPath,
+    payload,
+    anchorSha256,
+    artifactCount: payload.artifacts.length,
+  };
+}
+
+export async function verifyArtifactChain({
+  workItemId,
+  date = "",
+  targetPath = ".",
+  outputDir = "",
+  env,
+  homeDir,
+} = {}) {
+  const normalizedWorkItemId = normalizeString(workItemId);
+  if (!normalizedWorkItemId) {
+    throw new Error("workItemId is required.");
+  }
+  const normalizedTargetPath = path.resolve(String(targetPath || "."));
+  const storage = await resolveArtifactLineageStorage({
+    targetPath: normalizedTargetPath,
+    outputDir,
+    env,
+    homeDir,
+  });
+  const dateKey = normalizeDateKey(date, new Date().toISOString());
+  const artifactDir = resolveWorkItemArtifactDir(storage, normalizedWorkItemId, dateKey);
+  const closeoutPath = path.join(artifactDir, "closeout.json");
+  const closeout = await readJsonFile(closeoutPath, null);
+  if (!closeout || typeof closeout !== "object") {
+    throw new Error(`closeout.json was not found for work item '${normalizedWorkItemId}' on '${dateKey}'.`);
+  }
+
+  const mismatches = [];
+  const artifacts = Array.isArray(closeout.artifacts) ? closeout.artifacts : [];
+  for (const artifact of artifacts) {
+    const expectedPath = normalizeString(artifact.path);
+    const absolutePath = resolveArtifactAbsolutePath(storage, expectedPath);
+    if (!absolutePath) {
+      mismatches.push({
+        type: "artifact_path_missing",
+        path: expectedPath,
+      });
+      continue;
+    }
+    const buffer = await readFileBufferOptional(absolutePath);
+    if (!buffer) {
+      mismatches.push({
+        type: "artifact_missing",
+        path: expectedPath,
+      });
+      continue;
+    }
+    const actualSha256 = createHash("sha256").update(buffer).digest("hex");
+    if (normalizeString(artifact.sha256).toLowerCase() !== actualSha256) {
+      mismatches.push({
+        type: "artifact_sha_mismatch",
+        path: expectedPath,
+        expected: normalizeString(artifact.sha256).toLowerCase(),
+        actual: actualSha256,
+      });
+    }
+  }
+
+  let sessionStream = null;
+  const sessionId = normalizeString(closeout.sessionId);
+  if (sessionId) {
+    sessionStream = await resolveSessionStreamDigest(sessionId, {
+      targetPath: normalizedTargetPath,
+    });
+    if (closeout.sessionStream && sessionStream) {
+      const expectedStreamSha = normalizeString(closeout.sessionStream.sha256).toLowerCase();
+      if (expectedStreamSha !== normalizeString(sessionStream.sha256).toLowerCase()) {
+        mismatches.push({
+          type: "session_stream_sha_mismatch",
+          path: normalizeString(closeout.sessionStream.path),
+          expected: expectedStreamSha,
+          actual: normalizeString(sessionStream.sha256).toLowerCase(),
+        });
+      }
+    }
+  }
+
+  const recomputedAnchorPayload = buildCloseoutAnchorPayload({
+    workItemId: normalizedWorkItemId,
+    sessionId,
+    date: closeout.date,
+    artifacts,
+    sessionStream: sessionStream || closeout.sessionStream || null,
+    cosignAttestationRef: closeout.cosignAttestationRef,
+    sbomRef: closeout.sbomRef,
+    evidenceLinks: closeout.evidenceLinks,
+  });
+  const recomputedAnchorSha256 = computeAnchorSha256(recomputedAnchorPayload);
+  if (normalizeString(closeout.anchorSha256).toLowerCase() !== recomputedAnchorSha256) {
+    mismatches.push({
+      type: "anchor_sha_mismatch",
+      expected: normalizeString(closeout.anchorSha256).toLowerCase(),
+      actual: recomputedAnchorSha256,
+    });
+  }
+
+  return {
+    valid: mismatches.length === 0,
+    closeoutPath,
+    workItemId: normalizedWorkItemId,
+    date: normalizeDateKey(closeout.date, dateKey),
+    mismatches,
+    artifactCount: artifacts.length,
+    anchorSha256: normalizeString(closeout.anchorSha256).toLowerCase(),
+    recomputedAnchorSha256,
+  };
+}
+
 async function writeJsonFile(filePath, payload = {}) {
   await fsp.mkdir(path.dirname(filePath), { recursive: true });
   await fsp.writeFile(filePath, `${JSON.stringify(payload, null, 2)}\n`, "utf-8");
@@ -345,6 +689,7 @@ export async function buildArtifactLineageIndex({
       firstSeenAt: queueItem.firstSeenAt,
       lastSeenAt: queueItem.lastSeenAt,
       links: {
+        sessionId: assignment?.sessionId || null,
         agentIdentity: assignment?.assignedAgentIdentity || null,
         assignmentStatus: assignment?.status || null,
         assignmentStage: assignment?.stage || null,
@@ -370,6 +715,23 @@ export async function buildArtifactLineageIndex({
     };
   });
 
+  await Promise.all(
+    workItems.map(async (workItem) => {
+      const closeout = await writeCloseoutArtifact({
+        workItemId: workItem.workItemId,
+        sessionId: normalizeString(workItem.links.sessionId),
+        date: buildDayKey(normalizedNow),
+        targetPath,
+        outputDir,
+        env,
+        homeDir,
+        nowIso: normalizedNow,
+      });
+      workItem.artifacts.closeoutPath = toRelativePosix(storage.outputRoot, closeout.closeoutPath);
+      workItem.artifacts.closeoutAnchorSha256 = closeout.anchorSha256;
+    })
+  );
+
   const lineageRunId = createLineageRunId(normalizedNow);
   const statusCounts = summarizeStatusCounts(workItems);
   const linkedAgentIdentities = new Set(

package/src/daemon/assignment-ledger.js

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import fsp from "node:fs/promises";
 import path from "node:path";
 
@@ -55,6 +56,14 @@ function normalizeMetadata(value) {
   return { ...value };
 }
 
+function normalizeSeverity(value, fallbackValue = "P2") {
+  const normalized = normalizeString(value).toUpperCase();
+  if (normalized === "P0" || normalized === "P1" || normalized === "P2" || normalized === "P3") {
+    return normalized;
+  }
+  return fallbackValue;
+}
+
 function normalizeAssignmentStatus(value, fallbackValue = "QUEUED") {
   const normalized = normalizeString(value).toUpperCase();
   if (ASSIGNMENT_STATUS_SET.has(normalized)) {
@@ -964,3 +973,111 @@ export async function reassignLease({
     nowIso,
   });
 }
+
+function buildQueueFingerprint(seed = "") {
+  return createHash("sha256").update(normalizeString(seed) || "session-task").digest("hex");
+}
+
+export async function ensureWorkItemQueued({
+  targetPath = ".",
+  outputDir = "",
+  workItemId,
+  sessionId = "",
+  status = "QUEUED",
+  severity = "P2",
+  service = "session",
+  endpoint = "",
+  errorCode = "SESSION_TASK_ASSIGNMENT",
+  source = "session_task",
+  message = "",
+  dedupKey = "",
+  metadata = {},
+  env,
+  homeDir,
+  nowIso = new Date().toISOString(),
+} = {}) {
+  const normalizedNow = normalizeIsoTimestamp(nowIso, new Date().toISOString());
+  const normalizedWorkItemId = normalizeString(workItemId);
+  if (!normalizedWorkItemId) {
+    throw new Error("workItemId is required.");
+  }
+  const normalizedSessionId = normalizeSessionId(sessionId);
+  const normalizedStatus = normalizeWorkItemStatus(status, "QUEUED");
+  const normalizedService = normalizeString(service) || "session";
+  const normalizedEndpoint =
+    normalizeString(endpoint) ||
+    (normalizedSessionId
+      ? `/sessions/${normalizedSessionId}/tasks`
+      : "/sessions/global/tasks");
+  const normalizedErrorCode = normalizeString(errorCode) || "SESSION_TASK_ASSIGNMENT";
+  const normalizedSource = normalizeString(source) || "session_task";
+  const normalizedMessage = normalizeString(message) || "Session task assignment";
+  const normalizedDedupKey =
+    normalizeString(dedupKey) ||
+    `session|${normalizedSessionId || "none"}|${normalizedWorkItemId}`;
+  const normalizedMetadata = {
+    ...normalizeMetadata(metadata),
+    sessionId: normalizedSessionId,
+    source: normalizedSource,
+    workItemType: "session_task",
+  };
+
+  const storage = await resolveAssignmentLedgerStorage({
+    targetPath,
+    outputDir,
+    env,
+    homeDir,
+  });
+  const queue = await loadQueue(storage.queuePath, normalizedNow);
+  const existingIndex = queue.items.findIndex(
+    (item) => normalizeString(item.workItemId) === normalizedWorkItemId
+  );
+  const existing = existingIndex >= 0 ? queue.items[existingIndex] : null;
+  const fingerprintSeed = `${normalizedDedupKey}|${normalizedService}|${normalizedEndpoint}|${normalizedErrorCode}`;
+  const normalizedItem = normalizeQueueItem(
+    {
+      ...existing,
+      workItemId: normalizedWorkItemId,
+      fingerprint:
+        normalizeString(existing?.fingerprint) || buildQueueFingerprint(fingerprintSeed),
+      source: normalizedSource,
+      service: normalizedService,
+      endpoint: normalizedEndpoint,
+      errorCode: normalizedErrorCode,
+      severity: normalizeSeverity(existing?.severity || severity, "P2"),
+      status: normalizedStatus,
+      message: normalizedMessage,
+      stackFingerprint:
+        normalizeString(existing?.stackFingerprint) ||
+        buildQueueFingerprint(`${normalizedWorkItemId}|stack`).slice(0, 64),
+      commitSha: existing?.commitSha || null,
+      dedupKey: normalizedDedupKey,
+      firstSeenAt: normalizeIsoTimestamp(existing?.firstSeenAt, normalizedNow),
+      lastSeenAt: normalizedNow,
+      latestEventId: normalizeString(existing?.latestEventId) || null,
+      occurrenceCount: Math.max(1, Number(existing?.occurrenceCount || 1)),
+      requestIds: Array.isArray(existing?.requestIds) ? [...existing.requestIds] : [],
+      createdAt: normalizeIsoTimestamp(existing?.createdAt, normalizedNow),
+      updatedAt: normalizedNow,
+      metadata: {
+        ...normalizeMetadata(existing?.metadata),
+        ...normalizedMetadata,
+      },
+    },
+    normalizedNow
+  );
+
+  if (existingIndex >= 0) {
+    queue.items[existingIndex] = normalizedItem;
+  } else {
+    queue.items.push(normalizedItem);
+  }
+
+  const savedQueue = await writeQueue(storage.queuePath, queue, normalizedNow);
+  const queueItem = savedQueue.items.find((item) => item.workItemId === normalizedWorkItemId) || normalizedItem;
+  return {
+    ...storage,
+    queue: savedQueue,
+    queueItem,
+  };
+}