tlc-claude-code 1.3.0 → 1.4.1

package/server/lib/zero-retention.js

@@ -0,0 +1,322 @@
+/**
+ * Zero-Retention Mode
+ *
+ * Master switch that configures all subsystems for zero-data-retention.
+ * When enabled, ensures no sensitive data persists beyond the current session.
+ *
+ * Integrates with:
+ * - sensitive-detector.js - Detects sensitive data types
+ * - retention-policy.js - Configures immediate purge policies
+ * - ephemeral-storage.js - In-memory only storage
+ * - session-purge.js - Automatic session end purging
+ * - memory-exclusion.js - Excludes all files from memory
+ */
+
+import { detectSensitive, getSensitivityLevel } from './sensitive-detector.js';
+import {
+  getPolicy,
+  evaluateRetention,
+  loadPolicies,
+} from './retention-policy.js';
+import { EphemeralStorage } from './ephemeral-storage.js';
+import { SessionPurgeManager, createPurgeManager } from './session-purge.js';
+import { shouldExclude, loadPatterns } from './memory-exclusion.js';
+
+/**
+ * Zero-Retention Mode Class
+ *
+ * Provides a master switch to configure all subsystems for zero data retention.
+ */
+export class ZeroRetentionMode {
+  constructor(options = {}) {
+    this._enabled = false;
+    this._config = null;
+    this._options = options;
+    this._subsystems = {
+      ephemeralStorage: null,
+      sessionPurge: null,
+      memoryExclusion: null,
+    };
+  }
+
+  /**
+   * Enable zero-retention mode
+   * Configures all subsystems for immediate data purging and no persistence.
+   *
+   * @param {Object} options - Configuration options
+   * @param {boolean} options.auditLogging - Enable audit logging (conflicts with zero-retention)
+   * @returns {Object} Result with success status and configuration
+   */
+  enable(options = {}) {
+    const enableOptions = { ...this._options, ...options };
+
+    // Configure ephemeral storage - memory only, encrypted
+    const ephemeralStorageConfig = {
+      encrypt: true,
+      registerExitHandler: true,
+      basePath: null, // No disk persistence
+    };
+
+    // Configure session purge - aggressive purging
+    const sessionPurgeConfig = {
+      aggressive: true,
+      purgeOnSessionEnd: true,
+      purgeOnTimeout: true,
+      idleTimeout: 5 * 60 * 1000, // 5 minutes
+    };
+
+    // Configure memory exclusion - exclude everything
+    const memoryExclusionConfig = {
+      excludeAll: true,
+      mode: 'blacklist',
+      filePatterns: ['*'],
+      contentPatterns: ['*'],
+    };
+
+    // Configure retention policy - immediate purge, no persistence
+    const retentionPolicyConfig = {
+      retention: 'immediate',
+      persist: false,
+    };
+
+    // Store subsystem configurations
+    this._subsystems = {
+      ephemeralStorage: true,
+      sessionPurge: true,
+      memoryExclusion: true,
+    };
+
+    // Build full configuration
+    this._config = {
+      enabled: true,
+      ephemeralStorage: ephemeralStorageConfig,
+      sessionPurge: sessionPurgeConfig,
+      memoryExclusion: memoryExclusionConfig,
+      retentionPolicy: retentionPolicyConfig,
+      auditLogging: enableOptions.auditLogging || false,
+    };
+
+    this._enabled = true;
+
+    return {
+      success: true,
+      enabled: true,
+      subsystems: { ...this._subsystems },
+      config: { ...this._config },
+    };
+  }
+
+  /**
+   * Disable zero-retention mode
+   * Returns all subsystems to normal operation.
+   *
+   * @returns {Object} Result with success status
+   */
+  disable() {
+    this._enabled = false;
+    this._config = {
+      enabled: false,
+      ephemeralStorage: null,
+      sessionPurge: null,
+      memoryExclusion: null,
+      retentionPolicy: null,
+    };
+    this._subsystems = {
+      ephemeralStorage: null,
+      sessionPurge: null,
+      memoryExclusion: null,
+    };
+
+    return {
+      success: true,
+      enabled: false,
+    };
+  }
+
+  /**
+   * Check if zero-retention mode is enabled
+   *
+   * @returns {boolean} True if enabled
+   */
+  isEnabled() {
+    return this._enabled;
+  }
+
+  /**
+   * Get the current configuration
+   *
+   * @returns {Object} Current configuration
+   */
+  getConfig() {
+    if (!this._enabled) {
+      return {
+        enabled: false,
+        ephemeralStorage: null,
+        sessionPurge: null,
+        memoryExclusion: null,
+        retentionPolicy: null,
+      };
+    }
+
+    return { ...this._config };
+  }
+
+  /**
+   * Validate the current configuration for conflicts
+   *
+   * @returns {Object} Validation result with conflicts and warnings
+   */
+  validate() {
+    const conflicts = [];
+    const warnings = [];
+
+    // Check for audit logging conflict
+    if (this._config && this._config.auditLogging) {
+      warnings.push(
+        'Audit logging is enabled but conflicts with zero-retention mode. ' +
+          'Audit logs may retain sensitive data references.'
+      );
+    }
+
+    // Check for persistence conflicts
+    if (this._enabled && this._config) {
+      // Ephemeral storage should not persist
+      if (
+        this._config.ephemeralStorage &&
+        this._config.ephemeralStorage.basePath
+      ) {
+        conflicts.push(
+          'Ephemeral storage has basePath set, which may enable disk persistence.'
+        );
+      }
+
+      // Retention policy should be immediate
+      if (
+        this._config.retentionPolicy &&
+        this._config.retentionPolicy.retention !== 'immediate'
+      ) {
+        conflicts.push(
+          'Retention policy is not set to immediate in zero-retention mode.'
+        );
+      }
+
+      // Retention policy should not persist
+      if (
+        this._config.retentionPolicy &&
+        this._config.retentionPolicy.persist === true
+      ) {
+        conflicts.push('Retention policy has persist enabled in zero-retention mode.');
+      }
+    }
+
+    return {
+      valid: conflicts.length === 0,
+      conflicts,
+      warnings,
+    };
+  }
+
+  /**
+   * Create configured subsystem instances
+   * Returns ready-to-use instances of all subsystems configured for zero-retention.
+   *
+   * @returns {Object} Configured subsystem instances
+   */
+  createSubsystems() {
+    if (!this._enabled) {
+      throw new Error('Zero-retention mode must be enabled before creating subsystems');
+    }
+
+    const ephemeralStorage = new EphemeralStorage(this._config.ephemeralStorage);
+
+    const sessionPurge = createPurgeManager({
+      storage: ephemeralStorage,
+      auditEnabled: false, // Audit logging disabled in zero-retention
+      policies: {
+        sensitivityLevels: {
+          critical: { retention: 'immediate', persist: false },
+          high: { retention: 'immediate', persist: false },
+          medium: { retention: 'immediate', persist: false },
+          low: { retention: 'immediate', persist: false },
+        },
+        dataTypes: {
+          secrets: { retention: 'immediate', persist: false },
+          pii: { retention: 'immediate', persist: false },
+          general: { retention: 'immediate', persist: false },
+        },
+        default: { retention: 'immediate', persist: false },
+      },
+    });
+
+    return {
+      ephemeralStorage,
+      sessionPurge,
+      config: this._config,
+    };
+  }
+}
+
+// Global singleton instance
+let globalInstance = new ZeroRetentionMode();
+
+/**
+ * Enable zero-retention mode globally
+ *
+ * @param {Object} options - Configuration options
+ * @returns {Object} Result with success status
+ */
+export function enable(options = {}) {
+  return globalInstance.enable(options);
+}
+
+/**
+ * Disable zero-retention mode globally
+ *
+ * @returns {Object} Result with success status
+ */
+export function disable() {
+  return globalInstance.disable();
+}
+
+/**
+ * Check if zero-retention mode is enabled globally
+ *
+ * @returns {boolean} True if enabled
+ */
+export function isEnabled() {
+  return globalInstance.isEnabled();
+}
+
+/**
+ * Get the current global configuration
+ *
+ * @returns {Object} Current configuration
+ */
+export function getConfig() {
+  return globalInstance.getConfig();
+}
+
+/**
+ * Validate the current global configuration
+ *
+ * @returns {Object} Validation result
+ */
+export function validate() {
+  return globalInstance.validate();
+}
+
+/**
+ * Reset the global instance (for testing)
+ */
+export function _resetGlobalInstance() {
+  globalInstance = new ZeroRetentionMode();
+}
+
+export default {
+  ZeroRetentionMode,
+  enable,
+  disable,
+  isEnabled,
+  getConfig,
+  validate,
+};

package/server/lib/zero-retention.test.js

@@ -0,0 +1,258 @@
+/**
+ * Zero-Retention Mode Tests
+ *
+ * Tests for the master switch that configures all subsystems for zero-data-retention.
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import {
+  enable,
+  disable,
+  isEnabled,
+  getConfig,
+  validate,
+  ZeroRetentionMode,
+  _resetGlobalInstance,
+} from './zero-retention.js';
+
+// Mock dependencies
+vi.mock('./sensitive-detector.js', () => ({
+  detectSensitive: vi.fn(() => []),
+  getSensitivityLevel: vi.fn(() => 'low'),
+}));
+
+vi.mock('./retention-policy.js', () => ({
+  getPolicy: vi.fn(() => ({ retention: 'immediate', persist: false })),
+  evaluateRetention: vi.fn(() => 'purge'),
+  loadPolicies: vi.fn(() => ({})),
+}));
+
+vi.mock('./ephemeral-storage.js', () => ({
+  EphemeralStorage: vi.fn().mockImplementation(() => ({
+    set: vi.fn(),
+    get: vi.fn(),
+    delete: vi.fn(),
+    clear: vi.fn(),
+    keys: vi.fn(() => []),
+  })),
+}));
+
+vi.mock('./session-purge.js', () => ({
+  SessionPurgeManager: vi.fn().mockImplementation(() => ({
+    onSessionEnd: vi.fn(),
+    onProcessExit: vi.fn(),
+    startIdleTimer: vi.fn(),
+    stopIdleTimer: vi.fn(),
+    forcePurge: vi.fn(),
+  })),
+  createPurgeManager: vi.fn((options) => ({
+    onSessionEnd: vi.fn(),
+    onProcessExit: vi.fn(),
+    startIdleTimer: vi.fn(),
+    stopIdleTimer: vi.fn(),
+    forcePurge: vi.fn(),
+    ...options,
+  })),
+}));
+
+vi.mock('./memory-exclusion.js', () => ({
+  shouldExclude: vi.fn(() => true),
+  loadPatterns: vi.fn(() => ({
+    mode: 'blacklist',
+    filePatterns: ['*'],
+    contentPatterns: ['*'],
+  })),
+}));
+
+describe('Zero-Retention Mode', () => {
+  let zeroRetention;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Reset global instance to prevent state leakage
+    _resetGlobalInstance();
+    // Create a fresh instance for each test
+    zeroRetention = new ZeroRetentionMode();
+  });
+
+  afterEach(() => {
+    // Ensure mode is disabled after each test
+    if (zeroRetention && zeroRetention.isEnabled()) {
+      zeroRetention.disable();
+    }
+  });
+
+  describe('enable', () => {
+    it('activates zero-retention mode', () => {
+      const result = zeroRetention.enable();
+
+      expect(result.success).toBe(true);
+      expect(result.enabled).toBe(true);
+      expect(zeroRetention.isEnabled()).toBe(true);
+    });
+
+    it('configures ephemeral storage', () => {
+      const result = zeroRetention.enable();
+
+      expect(result.success).toBe(true);
+      expect(result.subsystems.ephemeralStorage).toBe(true);
+      expect(result.config.ephemeralStorage).toBeDefined();
+      expect(result.config.ephemeralStorage.encrypt).toBe(true);
+    });
+
+    it('configures session purge', () => {
+      const result = zeroRetention.enable();
+
+      expect(result.success).toBe(true);
+      expect(result.subsystems.sessionPurge).toBe(true);
+      expect(result.config.sessionPurge).toBeDefined();
+      expect(result.config.sessionPurge.aggressive).toBe(true);
+    });
+
+    it('configures memory exclusions', () => {
+      const result = zeroRetention.enable();
+
+      expect(result.success).toBe(true);
+      expect(result.subsystems.memoryExclusion).toBe(true);
+      expect(result.config.memoryExclusion).toBeDefined();
+      expect(result.config.memoryExclusion.excludeAll).toBe(true);
+    });
+  });
+
+  describe('disable', () => {
+    it('returns to normal mode', () => {
+      // First enable
+      zeroRetention.enable();
+      expect(zeroRetention.isEnabled()).toBe(true);
+
+      // Then disable
+      const result = zeroRetention.disable();
+
+      expect(result.success).toBe(true);
+      expect(result.enabled).toBe(false);
+      expect(zeroRetention.isEnabled()).toBe(false);
+    });
+  });
+
+  describe('isEnabled', () => {
+    it('returns current state', () => {
+      expect(zeroRetention.isEnabled()).toBe(false);
+
+      zeroRetention.enable();
+      expect(zeroRetention.isEnabled()).toBe(true);
+
+      zeroRetention.disable();
+      expect(zeroRetention.isEnabled()).toBe(false);
+    });
+  });
+
+  describe('getConfig', () => {
+    it('returns active configuration', () => {
+      zeroRetention.enable();
+
+      const config = zeroRetention.getConfig();
+
+      expect(config).toBeDefined();
+      expect(config.enabled).toBe(true);
+      expect(config.ephemeralStorage).toBeDefined();
+      expect(config.sessionPurge).toBeDefined();
+      expect(config.memoryExclusion).toBeDefined();
+      expect(config.retentionPolicy).toBeDefined();
+    });
+
+    it('returns default configuration when disabled', () => {
+      const config = zeroRetention.getConfig();
+
+      expect(config).toBeDefined();
+      expect(config.enabled).toBe(false);
+    });
+  });
+
+  describe('validate', () => {
+    it('checks for conflicts', () => {
+      const result = zeroRetention.validate();
+
+      expect(result).toBeDefined();
+      expect(result.valid).toBeDefined();
+      expect(result.conflicts).toBeDefined();
+      expect(Array.isArray(result.conflicts)).toBe(true);
+    });
+
+    it('warns about audit logging conflict', () => {
+      // Enable with audit logging (which conflicts with zero-retention)
+      zeroRetention.enable({ auditLogging: true });
+
+      const result = zeroRetention.validate();
+
+      expect(result.warnings).toBeDefined();
+      expect(Array.isArray(result.warnings)).toBe(true);
+      expect(
+        result.warnings.some((w) => w.toLowerCase().includes('audit'))
+      ).toBe(true);
+    });
+
+    it('returns valid when no conflicts', () => {
+      zeroRetention.enable();
+
+      const result = zeroRetention.validate();
+
+      expect(result.valid).toBe(true);
+      expect(result.conflicts.length).toBe(0);
+    });
+  });
+
+  describe('module-level functions', () => {
+    it('enable function works', () => {
+      const result = enable();
+      expect(result.success).toBe(true);
+      expect(isEnabled()).toBe(true);
+      disable(); // cleanup
+    });
+
+    it('disable function works', () => {
+      enable();
+      const result = disable();
+      expect(result.success).toBe(true);
+      expect(isEnabled()).toBe(false);
+    });
+
+    it('isEnabled function works', () => {
+      expect(isEnabled()).toBe(false);
+      enable();
+      expect(isEnabled()).toBe(true);
+      disable();
+    });
+
+    it('getConfig function works', () => {
+      enable();
+      const config = getConfig();
+      expect(config).toBeDefined();
+      expect(config.enabled).toBe(true);
+      disable();
+    });
+
+    it('validate function works', () => {
+      const result = validate();
+      expect(result).toBeDefined();
+      expect(result.valid).toBeDefined();
+    });
+  });
+
+  describe('integration with subsystems', () => {
+    it('sets immediate retention policy on enable', () => {
+      zeroRetention.enable();
+
+      const config = zeroRetention.getConfig();
+      expect(config.retentionPolicy.retention).toBe('immediate');
+      expect(config.retentionPolicy.persist).toBe(false);
+    });
+
+    it('restores normal retention policy on disable', () => {
+      zeroRetention.enable();
+      zeroRetention.disable();
+
+      const config = zeroRetention.getConfig();
+      expect(config.retentionPolicy).toBeNull();
+    });
+  });
+});