speclock 1.7.0 → 2.1.0

package/src/core/license.js

@@ -0,0 +1,221 @@
+/**
+ * SpecLock Freemium License System
+ * Three tiers: Free, Pro ($19/mo), Enterprise ($99/mo).
+ * Graceful degradation — free tier always works.
+ *
+ * Developed by Sandeep Roy (https://github.com/sgroy10)
+ */
+
+import fs from "fs";
+import path from "path";
+import crypto from "crypto";
+import { speclockDir, readBrain } from "./storage.js";
+
+// Tier definitions
+const TIERS = {
+  free: {
+    name: "Free",
+    maxLocks: 10,
+    maxDecisions: 5,
+    maxEvents: 500,
+    features: ["basic_conflict_detection", "context_pack", "session_tracking", "cli", "mcp"],
+  },
+  pro: {
+    name: "Pro",
+    maxLocks: Infinity,
+    maxDecisions: Infinity,
+    maxEvents: Infinity,
+    features: [
+      "basic_conflict_detection", "context_pack", "session_tracking", "cli", "mcp",
+      "llm_conflict_detection", "hmac_audit_chain", "compliance_exports",
+      "drift_detection", "templates", "github_actions",
+    ],
+  },
+  enterprise: {
+    name: "Enterprise",
+    maxLocks: Infinity,
+    maxDecisions: Infinity,
+    maxEvents: Infinity,
+    features: [
+      "basic_conflict_detection", "context_pack", "session_tracking", "cli", "mcp",
+      "llm_conflict_detection", "hmac_audit_chain", "compliance_exports",
+      "drift_detection", "templates", "github_actions",
+      "rbac", "encrypted_storage", "sso", "hard_enforcement",
+      "semantic_precommit", "multi_project", "priority_support",
+    ],
+  },
+};
+
+const LICENSE_FILE = ".license";
+
+/**
+ * Get the current license key from env or file.
+ */
+function getLicenseKey(root) {
+  // 1. Environment variable
+  if (process.env.SPECLOCK_LICENSE_KEY) {
+    return process.env.SPECLOCK_LICENSE_KEY;
+  }
+
+  // 2. License file in .speclock/
+  if (root) {
+    const licensePath = path.join(speclockDir(root), LICENSE_FILE);
+    if (fs.existsSync(licensePath)) {
+      return fs.readFileSync(licensePath, "utf8").trim();
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Decode a license key to extract tier and expiry.
+ * License format: base64(JSON({ tier, expiresAt, signature }))
+ * For now, a simple validation — full crypto verification in v3.0.
+ */
+function decodeLicense(key) {
+  if (!key) return null;
+
+  try {
+    const decoded = JSON.parse(Buffer.from(key, "base64").toString("utf8"));
+    if (!decoded.tier || !decoded.expiresAt) return null;
+
+    // Check expiry
+    if (new Date(decoded.expiresAt) < new Date()) {
+      return { tier: "free", expired: true, originalTier: decoded.tier };
+    }
+
+    // Validate tier name
+    if (!TIERS[decoded.tier]) return null;
+
+    return { tier: decoded.tier, expiresAt: decoded.expiresAt, expired: false };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get the current tier for this project.
+ */
+export function getTier(root) {
+  const key = getLicenseKey(root);
+  if (!key) return "free";
+
+  const license = decodeLicense(key);
+  if (!license || license.expired) return "free";
+
+  return license.tier;
+}
+
+/**
+ * Get the limits for the current tier.
+ */
+export function getLimits(root) {
+  const tier = getTier(root);
+  return { tier, ...TIERS[tier] };
+}
+
+/**
+ * Check if a specific feature is available in the current tier.
+ * Returns { allowed: bool, tier: string, requiredTier: string|null }
+ */
+export function checkFeature(root, featureName) {
+  const tier = getTier(root);
+  const tierConfig = TIERS[tier];
+
+  if (tierConfig.features.includes(featureName)) {
+    return { allowed: true, tier, requiredTier: null };
+  }
+
+  // Find which tier has this feature
+  const requiredTier = Object.entries(TIERS).find(
+    ([_, config]) => config.features.includes(featureName)
+  );
+
+  return {
+    allowed: false,
+    tier,
+    requiredTier: requiredTier ? requiredTier[0] : null,
+    message: requiredTier
+      ? `Feature "${featureName}" requires ${requiredTier[1].name} tier. Current: ${tierConfig.name}. Upgrade at https://speclock.dev/pricing`
+      : `Unknown feature: ${featureName}`,
+  };
+}
+
+/**
+ * Check if the current project is within its tier limits.
+ * Returns { withinLimits: bool, warnings: string[] }
+ */
+export function checkLimits(root) {
+  const tier = getTier(root);
+  const limits = TIERS[tier];
+  const brain = readBrain(root);
+  const warnings = [];
+
+  if (!brain) return { withinLimits: true, warnings: [], tier };
+
+  const activeLocks = (brain.specLock?.items || []).filter((l) => l.active).length;
+  const decisions = (brain.decisions || []).length;
+  const eventCount = brain.events?.count || 0;
+
+  if (activeLocks >= limits.maxLocks) {
+    warnings.push(
+      `Lock limit reached (${activeLocks}/${limits.maxLocks}). Upgrade to Pro for unlimited locks.`
+    );
+  }
+
+  if (decisions >= limits.maxDecisions) {
+    warnings.push(
+      `Decision limit reached (${decisions}/${limits.maxDecisions}). Upgrade to Pro for unlimited decisions.`
+    );
+  }
+
+  if (eventCount >= limits.maxEvents) {
+    warnings.push(
+      `Event limit reached (${eventCount}/${limits.maxEvents}). Upgrade to Pro for unlimited events.`
+    );
+  }
+
+  return {
+    withinLimits: warnings.length === 0,
+    warnings,
+    tier,
+    usage: {
+      locks: { current: activeLocks, max: limits.maxLocks },
+      decisions: { current: decisions, max: limits.maxDecisions },
+      events: { current: eventCount, max: limits.maxEvents },
+    },
+  };
+}
+
+/**
+ * Generate a license key (for testing / admin use).
+ * In production, keys would be generated server-side.
+ */
+export function generateLicenseKey(tier, daysValid = 30) {
+  if (!TIERS[tier]) throw new Error(`Invalid tier: ${tier}`);
+
+  const expiresAt = new Date(Date.now() + daysValid * 24 * 60 * 60 * 1000).toISOString();
+  const payload = { tier, expiresAt, issuedAt: new Date().toISOString() };
+
+  return Buffer.from(JSON.stringify(payload)).toString("base64");
+}
+
+/**
+ * Get license info for display.
+ */
+export function getLicenseInfo(root) {
+  const key = getLicenseKey(root);
+  const tier = getTier(root);
+  const limits = checkLimits(root);
+  const license = key ? decodeLicense(key) : null;
+
+  return {
+    tier: TIERS[tier].name,
+    tierKey: tier,
+    expiresAt: license?.expiresAt || null,
+    expired: license?.expired || false,
+    ...limits,
+    features: TIERS[tier].features,
+  };
+}

package/src/core/llm-checker.js

@@ -0,0 +1,239 @@
+// ===================================================================
+// SpecLock LLM-Powered Conflict Checker (Optional)
+// Uses OpenAI or Anthropic APIs for enterprise-grade detection.
+// Zero mandatory dependencies — uses built-in fetch().
+// Falls back gracefully if no API key is configured.
+// ===================================================================
+
+import { readBrain } from "./storage.js";
+
+// --- In-memory LRU cache ---
+const CACHE_MAX = 200;
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const cache = new Map();
+
+function cacheKey(action, locks) {
+  return `${action}::${locks.map(l => l.text).sort().join("|")}`;
+}
+
+function cacheGet(key) {
+  const entry = cache.get(key);
+  if (!entry) return null;
+  if (Date.now() - entry.ts > CACHE_TTL_MS) {
+    cache.delete(key);
+    return null;
+  }
+  return entry.value;
+}
+
+function cacheSet(key, value) {
+  if (cache.size >= CACHE_MAX) {
+    // Evict oldest entry
+    const oldest = cache.keys().next().value;
+    cache.delete(oldest);
+  }
+  cache.set(key, { value, ts: Date.now() });
+}
+
+// --- Configuration ---
+
+function getConfig(root) {
+  // Priority: env var > brain.json config
+  const apiKey = process.env.SPECLOCK_LLM_KEY || process.env.OPENAI_API_KEY || process.env.ANTHROPIC_API_KEY;
+  const provider = process.env.SPECLOCK_LLM_PROVIDER || "openai"; // "openai" or "anthropic"
+
+  if (apiKey) {
+    return { apiKey, provider };
+  }
+
+  // Check brain.json for LLM config
+  try {
+    const brain = readBrain(root);
+    if (brain?.facts?.llm) {
+      return {
+        apiKey: brain.facts.llm.apiKey,
+        provider: brain.facts.llm.provider || "openai",
+      };
+    }
+  } catch (_) {}
+
+  return null;
+}
+
+// --- System prompt ---
+
+const SYSTEM_PROMPT = `You are a security constraint checker for SpecLock, an AI constraint engine.
+
+Your job: determine if a proposed action conflicts with any active SpecLock constraints (locks).
+
+Rules:
+1. A lock like "Never X" means the action MUST NOT do X, regardless of phrasing.
+2. Watch for EUPHEMISMS: "clean up data" = delete, "streamline" = remove, "sunset" = deprecate/remove.
+3. Watch for TECHNICAL JARGON: "truncate table" = delete records, "flash firmware" = overwrite, "bridge segments" = connect.
+4. Watch for TEMPORAL SOFTENERS: "temporarily disable" is still disabling. "Just for testing" is still doing it.
+5. Watch for CONTEXT DILUTION: "update UI and also delete patient records" — the second part conflicts even if buried.
+6. POSITIVE actions do NOT conflict: "Enable audit logging" does NOT conflict with "Never disable audit logging".
+7. Read-only actions do NOT conflict: "View patient records" does NOT conflict with "Never delete patient records".
+
+Respond with ONLY valid JSON (no markdown, no explanation):
+{
+  "hasConflict": true/false,
+  "conflicts": [
+    {
+      "lockText": "the lock text",
+      "confidence": 0-100,
+      "level": "HIGH/MEDIUM/LOW",
+      "reasons": ["reason1", "reason2"]
+    }
+  ],
+  "analysis": "one-line summary"
+}`;
+
+// --- API callers ---
+
+async function callOpenAI(apiKey, userPrompt) {
+  const resp = await fetch("https://api.openai.com/v1/chat/completions", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${apiKey}`,
+    },
+    body: JSON.stringify({
+      model: "gpt-4o-mini",
+      messages: [
+        { role: "system", content: SYSTEM_PROMPT },
+        { role: "user", content: userPrompt },
+      ],
+      temperature: 0.1,
+      max_tokens: 1000,
+    }),
+  });
+
+  if (!resp.ok) return null;
+  const data = await resp.json();
+  const content = data.choices?.[0]?.message?.content;
+  if (!content) return null;
+
+  try {
+    return JSON.parse(content);
+  } catch (_) {
+    // Try to extract JSON from markdown code block
+    const match = content.match(/```(?:json)?\s*([\s\S]*?)```/);
+    if (match) return JSON.parse(match[1]);
+    return null;
+  }
+}
+
+async function callAnthropic(apiKey, userPrompt) {
+  const resp = await fetch("https://api.anthropic.com/v1/messages", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "x-api-key": apiKey,
+      "anthropic-version": "2023-06-01",
+    },
+    body: JSON.stringify({
+      model: "claude-sonnet-4-20250514",
+      max_tokens: 1000,
+      system: SYSTEM_PROMPT,
+      messages: [
+        { role: "user", content: userPrompt },
+      ],
+    }),
+  });
+
+  if (!resp.ok) return null;
+  const data = await resp.json();
+  const content = data.content?.[0]?.text;
+  if (!content) return null;
+
+  try {
+    return JSON.parse(content);
+  } catch (_) {
+    const match = content.match(/```(?:json)?\s*([\s\S]*?)```/);
+    if (match) return JSON.parse(match[1]);
+    return null;
+  }
+}
+
+// --- Main export ---
+
+/**
+ * Check conflicts using LLM. Returns null on any failure (caller should fall back to heuristic).
+ * @param {string} root - Project root path
+ * @param {string} proposedAction - The action to check
+ * @param {Array} [activeLocks] - Optional pre-fetched locks
+ * @returns {Promise<Object|null>} - Same shape as checkConflict() return, or null
+ */
+export async function llmCheckConflict(root, proposedAction, activeLocks) {
+  const config = getConfig(root);
+  if (!config) return null;
+
+  // Get active locks if not provided
+  if (!activeLocks) {
+    try {
+      const brain = readBrain(root);
+      activeLocks = brain?.specLock?.items?.filter(l => l.active !== false) || [];
+    } catch (_) {
+      return null;
+    }
+  }
+
+  if (activeLocks.length === 0) {
+    return {
+      hasConflict: false,
+      conflictingLocks: [],
+      analysis: "No active locks. No constraints to check against.",
+    };
+  }
+
+  // Check cache
+  const key = cacheKey(proposedAction, activeLocks);
+  const cached = cacheGet(key);
+  if (cached) return cached;
+
+  // Build user prompt
+  const lockList = activeLocks.map((l, i) => `${i + 1}. "${l.text}"`).join("\n");
+  const userPrompt = `Active SpecLocks:\n${lockList}\n\nProposed Action: "${proposedAction}"\n\nDoes this action conflict with any lock?`;
+
+  // Call LLM
+  let llmResult = null;
+  try {
+    if (config.provider === "anthropic") {
+      llmResult = await callAnthropic(config.apiKey, userPrompt);
+    } else {
+      llmResult = await callOpenAI(config.apiKey, userPrompt);
+    }
+  } catch (_) {
+    return null;
+  }
+
+  if (!llmResult) return null;
+
+  // Convert LLM response to checkConflict format
+  const conflicting = (llmResult.conflicts || [])
+    .filter(c => c.confidence >= 25)
+    .map(c => {
+      // Find matching lock
+      const lock = activeLocks.find(l => l.text === c.lockText) || { id: "unknown", text: c.lockText };
+      return {
+        id: lock.id,
+        text: c.lockText,
+        matchedKeywords: [],
+        confidence: c.confidence,
+        level: c.level || (c.confidence >= 70 ? "HIGH" : c.confidence >= 40 ? "MEDIUM" : "LOW"),
+        reasons: c.reasons || [],
+      };
+    });
+
+  const result = {
+    hasConflict: conflicting.length > 0,
+    conflictingLocks: conflicting,
+    analysis: llmResult.analysis || (conflicting.length > 0
+      ? `LLM detected ${conflicting.length} conflict(s). Review before proceeding.`
+      : `LLM checked against ${activeLocks.length} lock(s). No conflicts detected.`),
+  };
+
+  cacheSet(key, result);
+  return result;
+}