empathy-framework 5.1.1__py3-none-any.whl → 5.3.0__py3-none-any.whl

empathy_os/memory/control_panel_support.py

@@ -0,0 +1,145 @@
+"""Support classes for Memory Control Panel.
+
+Rate limiting, authentication, and statistics tracking.
+
+Copyright 2025 Smart AI Memory, LLC
+Licensed under Fair Source 0.9
+"""
+
+import hashlib
+import os
+import time
+from collections import defaultdict
+from dataclasses import dataclass
+
+import structlog
+
+logger = structlog.get_logger(__name__)
+
+
+class RateLimiter:
+    """Simple in-memory rate limiter by IP address."""
+
+    def __init__(self, window_seconds: int = 60, max_requests: int = 100):
+        """Initialize rate limiter.
+
+        Args:
+            window_seconds: Time window in seconds
+            max_requests: Maximum requests allowed per window
+
+        Raises:
+            ValueError: If window_seconds or max_requests is invalid
+
+        """
+        if window_seconds < 1:
+            raise ValueError(f"window_seconds must be positive, got {window_seconds}")
+
+        if max_requests < 1:
+            raise ValueError(f"max_requests must be positive, got {max_requests}")
+
+        self.window_seconds = window_seconds
+        self.max_requests = max_requests
+        self._requests: dict[str, list[float]] = defaultdict(list)
+
+    def is_allowed(self, client_ip: str) -> bool:
+        """Check if request is allowed for this IP.
+
+        Args:
+            client_ip: The client IP address
+
+        Returns:
+            True if allowed, False if rate limited
+
+        """
+        now = time.time()
+        window_start = now - self.window_seconds
+
+        # Clean old entries
+        self._requests[client_ip] = [ts for ts in self._requests[client_ip] if ts > window_start]
+
+        # Check if over limit
+        if len(self._requests[client_ip]) >= self.max_requests:
+            logger.warning("rate_limit_exceeded", client_ip=client_ip)
+            return False
+
+        # Record this request
+        self._requests[client_ip].append(now)
+        return True
+
+    def get_remaining(self, client_ip: str) -> int:
+        """Get remaining requests for this IP."""
+        now = time.time()
+        window_start = now - self.window_seconds
+        recent = [ts for ts in self._requests[client_ip] if ts > window_start]
+        return max(0, self.max_requests - len(recent))
+
+
+class APIKeyAuth:
+    """Simple API key authentication."""
+
+    def __init__(self, api_key: str | None = None):
+        """Initialize API key auth.
+
+        Args:
+            api_key: The API key to require. If None, reads from
+                     EMPATHY_MEMORY_API_KEY env var. If still None, auth is disabled.
+
+        """
+        self.api_key = api_key or os.environ.get("EMPATHY_MEMORY_API_KEY")
+        self.enabled = bool(self.api_key)
+        self._key_hash: str | None = None
+        if self.enabled and self.api_key:
+            # Store hash of API key for comparison
+            self._key_hash = hashlib.sha256(self.api_key.encode()).hexdigest()
+            logger.info("api_key_auth_enabled")
+        else:
+            logger.info("api_key_auth_disabled", reason="no_key_configured")
+
+    def is_valid(self, provided_key: str | None) -> bool:
+        """Check if provided API key is valid.
+
+        Args:
+            provided_key: The key provided in the request
+
+        Returns:
+            True if valid or auth disabled, False otherwise
+
+        """
+        if not self.enabled:
+            return True
+
+        if not provided_key:
+            return False
+
+        # Constant-time comparison via hash
+        provided_hash = hashlib.sha256(provided_key.encode()).hexdigest()
+        return provided_hash == self._key_hash
+
+
+@dataclass
+class MemoryStats:
+    """Statistics for memory system."""
+
+    # Redis stats
+    redis_available: bool = False
+    redis_method: str = "none"
+    redis_keys_total: int = 0
+    redis_keys_working: int = 0
+    redis_keys_staged: int = 0
+    redis_memory_used: str = "0"
+
+    # Long-term stats
+    long_term_available: bool = False
+    patterns_total: int = 0
+    patterns_public: int = 0
+    patterns_internal: int = 0
+    patterns_sensitive: int = 0
+    patterns_encrypted: int = 0
+
+    # Performance stats
+    redis_ping_ms: float = 0.0
+    storage_bytes: int = 0
+    collection_time_ms: float = 0.0
+
+    # Timestamps
+    collected_at: str = ""

empathy_os/memory/encryption.py

@@ -0,0 +1,159 @@
+"""Encryption manager for long-term memory system
+
+Provides AES-256-GCM encryption/decryption for SENSITIVE patterns.
+Extracted from long_term.py for better modularity and testability.
+
+Key Features:
+- AES-256-GCM authenticated encryption
+- Master key management (environment variable, file, or generated)
+- Base64-encoded output for safe storage
+- Proper error handling and security logging
+
+Copyright 2025 Smart AI Memory, LLC
+Licensed under Fair Source 0.9
+"""
+
+import base64
+import binascii
+import os
+from pathlib import Path
+
+import structlog
+
+from .long_term_types import SecurityError
+
+logger = structlog.get_logger(__name__)
+
+# Check for cryptography library
+try:
+    from cryptography.exceptions import InvalidTag
+    from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+    HAS_ENCRYPTION = True
+except ImportError:
+    HAS_ENCRYPTION = False
+    logger.warning("cryptography library not available - encryption disabled")
+
+
+class EncryptionManager:
+    """Manages encryption/decryption for SENSITIVE patterns.
+
+    Uses AES-256-GCM (Galois/Counter Mode) for authenticated encryption.
+    Keys are derived from a master key using HKDF.
+    """
+
+    def __init__(self, master_key: bytes | None = None):
+        """Initialize encryption manager.
+
+        Args:
+            master_key: 32-byte master key (or None to generate/load)
+
+        """
+        if not HAS_ENCRYPTION:
+            logger.warning("Encryption not available - install cryptography library")
+            self.enabled = False
+            return
+
+        self.enabled = True
+        self.master_key = master_key or self._load_or_generate_key()
+
+    def _load_or_generate_key(self) -> bytes:
+        """Load master key from environment or generate new one.
+
+        Production: Set EMPATHY_MASTER_KEY environment variable
+        Development: Generates ephemeral key (warning logged)
+        """
+        # Check environment variable first
+        if env_key := os.getenv("EMPATHY_MASTER_KEY"):
+            try:
+                return base64.b64decode(env_key)
+            except (binascii.Error, ValueError) as e:
+                logger.error("invalid_master_key_in_env", error=str(e))
+                raise ValueError("Invalid EMPATHY_MASTER_KEY format") from e
+
+        # Check key file
+        key_file = Path.home() / ".empathy" / "master.key"
+        if key_file.exists():
+            try:
+                return key_file.read_bytes()
+            except (OSError, PermissionError) as e:
+                logger.error("failed_to_load_key_file", error=str(e))
+
+        # Generate ephemeral key (NOT for production)
+        logger.warning(
+            "no_master_key_found",
+            message="Generating ephemeral encryption key - set EMPATHY_MASTER_KEY for production",
+        )
+        return AESGCM.generate_key(bit_length=256)
+
+    def encrypt(self, plaintext: str) -> str:
+        """Encrypt plaintext using AES-256-GCM.
+
+        Args:
+            plaintext: Content to encrypt
+
+        Returns:
+            Base64-encoded ciphertext with format: nonce||ciphertext||tag
+
+        Raises:
+            SecurityError: If encryption fails
+
+        """
+        if not self.enabled:
+            raise SecurityError("Encryption not available - install cryptography library")
+
+        try:
+            # Generate random 96-bit nonce (12 bytes)
+            nonce = os.urandom(12)
+
+            # Create AESGCM cipher
+            aesgcm = AESGCM(self.master_key)
+
+            # Encrypt and authenticate
+            ciphertext = aesgcm.encrypt(nonce, plaintext.encode("utf-8"), None)
+
+            # Combine nonce + ciphertext for storage
+            encrypted_data = nonce + ciphertext
+
+            # Return base64-encoded
+            return base64.b64encode(encrypted_data).decode("utf-8")
+
+        except (ValueError, TypeError, UnicodeEncodeError) as e:
+            logger.error("encryption_failed", error=str(e))
+            raise SecurityError(f"Encryption failed: {e}") from e
+
+    def decrypt(self, ciphertext_b64: str) -> str:
+        """Decrypt ciphertext using AES-256-GCM.
+
+        Args:
+            ciphertext_b64: Base64-encoded encrypted data
+
+        Returns:
+            Decrypted plaintext
+
+        Raises:
+            SecurityError: If decryption fails (invalid key, corrupted data, etc.)
+
+        """
+        if not self.enabled:
+            raise SecurityError("Encryption not available - install cryptography library")
+
+        try:
+            # Decode from base64
+            encrypted_data = base64.b64decode(ciphertext_b64)
+
+            # Extract nonce (first 12 bytes) and ciphertext (rest)
+            nonce = encrypted_data[:12]
+            ciphertext = encrypted_data[12:]
+
+            # Create AESGCM cipher
+            aesgcm = AESGCM(self.master_key)
+
+            # Decrypt and verify
+            plaintext_bytes = aesgcm.decrypt(nonce, ciphertext, None)
+
+            return plaintext_bytes.decode("utf-8")
+
+        except (ValueError, TypeError, UnicodeDecodeError, binascii.Error, InvalidTag) as e:
+            logger.error("decryption_failed", error=str(e))
+            raise SecurityError(f"Decryption failed: {e}") from e