tony/CHORUS
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CHORUS security and messaging stack

Browse Source
This commit is contained in:
anthonyrawlins
2025-09-20 23:21:35 +10:00
parent 57751f277a
commit 1bb736c09a
25 changed files with 2793 additions and 2474 deletions
Download Patch File Download Diff File Expand all files Collapse all files

192
internal/runtime/shared.go
View File

@@ -21,8 +21,10 @@ import (
"chorus/pkg/dht"
"chorus/pkg/election"
"chorus/pkg/health"
"chorus/pkg/shutdown"
"chorus/pkg/metrics"
"chorus/pkg/prompt"
"chorus/pkg/shhh"
"chorus/pkg/shutdown"
"chorus/pkg/ucxi"
"chorus/pkg/ucxl"
"chorus/pubsub"
@@ -53,8 +55,8 @@ func (l *SimpleLogger) Error(msg string, args ...interface{}) {
// SimpleTaskTracker tracks active tasks for availability reporting
type SimpleTaskTracker struct {
maxTasks int
activeTasks map[string]bool
maxTasks int
activeTasks map[string]bool
decisionPublisher *ucxl.DecisionPublisher
}
@@ -80,7 +82,7 @@ func (t *SimpleTaskTracker) AddTask(taskID string) {
// RemoveTask marks a task as completed and publishes decision if publisher available
func (t *SimpleTaskTracker) RemoveTask(taskID string) {
delete(t.activeTasks, taskID)
// Publish task completion decision if publisher is available
if t.decisionPublisher != nil {
t.publishTaskCompletion(taskID, true, "Task completed successfully", nil)
@@ -92,7 +94,7 @@ func (t *SimpleTaskTracker) publishTaskCompletion(taskID string, success bool, s
if t.decisionPublisher == nil {
return
}
if err := t.decisionPublisher.PublishTaskCompletion(taskID, success, summary, filesModified); err != nil {
fmt.Printf("⚠️ Failed to publish task completion for %s: %v\n", taskID, err)
} else {
@@ -102,32 +104,35 @@ func (t *SimpleTaskTracker) publishTaskCompletion(taskID string, success bool, s
// SharedRuntime contains all the shared P2P infrastructure components
type SharedRuntime struct {
Config *config.Config
Logger *SimpleLogger
Context context.Context
Cancel context.CancelFunc
Node *p2p.Node
PubSub *pubsub.PubSub
HypercoreLog *logging.HypercoreLog
MDNSDiscovery *discovery.MDNSDiscovery
BackbeatIntegration *backbeat.Integration
DHTNode *dht.LibP2PDHT
EncryptedStorage *dht.EncryptedDHTStorage
DecisionPublisher *ucxl.DecisionPublisher
ElectionManager *election.ElectionManager
TaskCoordinator *coordinator.TaskCoordinator
HTTPServer *api.HTTPServer
UCXIServer *ucxi.Server
HealthManager *health.Manager
ShutdownManager *shutdown.Manager
TaskTracker *SimpleTaskTracker
Config *config.Config
Logger *SimpleLogger
Context context.Context
Cancel context.CancelFunc
Node *p2p.Node
PubSub *pubsub.PubSub
HypercoreLog *logging.HypercoreLog
MDNSDiscovery *discovery.MDNSDiscovery
BackbeatIntegration *backbeat.Integration
DHTNode *dht.LibP2PDHT
EncryptedStorage *dht.EncryptedDHTStorage
DecisionPublisher *ucxl.DecisionPublisher
ElectionManager *election.ElectionManager
TaskCoordinator *coordinator.TaskCoordinator
HTTPServer *api.HTTPServer
UCXIServer *ucxi.Server
HealthManager *health.Manager
EnhancedHealth *health.EnhancedHealthChecks
ShutdownManager *shutdown.Manager
TaskTracker *SimpleTaskTracker
Metrics *metrics.CHORUSMetrics
Shhh *shhh.Sentinel
}
// Initialize sets up all shared P2P infrastructure components
func Initialize(appMode string) (*SharedRuntime, error) {
runtime := &SharedRuntime{}
runtime.Logger = &SimpleLogger{}
ctx, cancel := context.WithCancel(context.Background())
runtime.Context = ctx
runtime.Cancel = cancel
@@ -142,7 +147,7 @@ func Initialize(appMode string) (*SharedRuntime, error) {
return nil, fmt.Errorf("configuration error: %v", err)
}
runtime.Config = cfg
runtime.Logger.Info("✅ Configuration loaded successfully")
runtime.Logger.Info("🤖 Agent ID: %s", cfg.Agent.ID)
runtime.Logger.Info("🎯 Specialization: %s", cfg.Agent.Specialization)
@@ -166,6 +171,21 @@ func Initialize(appMode string) (*SharedRuntime, error) {
}
runtime.Logger.Info("✅ AI provider configured successfully")
// Initialize metrics collector
runtime.Metrics = metrics.NewCHORUSMetrics(nil)
// Initialize SHHH sentinel
sentinel, err := shhh.NewSentinel(
shhh.Config{},
shhh.WithFindingObserver(runtime.handleShhhFindings),
)
if err != nil {
return nil, fmt.Errorf("failed to initialize SHHH sentinel: %v", err)
}
sentinel.SetAuditSink(&shhhAuditSink{logger: runtime.Logger})
runtime.Shhh = sentinel
runtime.Logger.Info("🛡️ SHHH sentinel initialized")
// Initialize BACKBEAT integration
var backbeatIntegration *backbeat.Integration
backbeatIntegration, err = backbeat.NewIntegration(cfg, cfg.Agent.ID, runtime.Logger)
@@ -198,6 +218,9 @@ func Initialize(appMode string) (*SharedRuntime, error) {
// Initialize Hypercore-style logger for P2P coordination
hlog := logging.NewHypercoreLog(node.ID())
if runtime.Shhh != nil {
hlog.SetRedactor(runtime.Shhh)
}
hlog.Append(logging.PeerJoined, map[string]interface{}{"status": "started"})
runtime.HypercoreLog = hlog
runtime.Logger.Info("📝 Hypercore logger initialized")
@@ -214,8 +237,11 @@ func Initialize(appMode string) (*SharedRuntime, error) {
if err != nil {
return nil, fmt.Errorf("failed to create PubSub: %v", err)
}
if runtime.Shhh != nil {
ps.SetRedactor(runtime.Shhh)
}
runtime.PubSub = ps
runtime.Logger.Info("📡 PubSub system initialized")
// Join role-based topics if role is configured
@@ -294,12 +320,12 @@ func (r *SharedRuntime) Cleanup() {
func (r *SharedRuntime) initializeElectionSystem() error {
// === Admin Election System ===
electionManager := election.NewElectionManager(r.Context, r.Config, r.Node.Host(), r.PubSub, r.Node.ID().ShortString())
// Set election callbacks with BACKBEAT integration
electionManager.SetCallbacks(
func(oldAdmin, newAdmin string) {
r.Logger.Info("👑 Admin changed: %s -> %s", oldAdmin, newAdmin)
// Track admin change with BACKBEAT if available
if r.BackbeatIntegration != nil {
operationID := fmt.Sprintf("admin-change-%d", time.Now().Unix())
@@ -311,7 +337,7 @@ func (r *SharedRuntime) initializeElectionSystem() error {
r.BackbeatIntegration.CompleteP2POperation(operationID, 1)
}
}
// If this node becomes admin, enable SLURP functionality
if newAdmin == r.Node.ID().ShortString() {
r.Logger.Info("🎯 This node is now admin - enabling SLURP functionality")
@@ -324,12 +350,12 @@ func (r *SharedRuntime) initializeElectionSystem() error {
},
func(winner string) {
r.Logger.Info("🏆 Election completed, winner: %s", winner)
// Track election completion with BACKBEAT if available
if r.BackbeatIntegration != nil {
operationID := fmt.Sprintf("election-completed-%d", time.Now().Unix())
if err := r.BackbeatIntegration.StartP2POperation(operationID, "election", 1, map[string]interface{}{
"winner": winner,
"winner": winner,
"node_id": r.Node.ID().ShortString(),
}); err == nil {
r.BackbeatIntegration.CompleteP2POperation(operationID, 1)
@@ -337,22 +363,22 @@ func (r *SharedRuntime) initializeElectionSystem() error {
}
},
)
if err := electionManager.Start(); err != nil {
return fmt.Errorf("failed to start election manager: %v", err)
}
r.ElectionManager = electionManager
r.Logger.Info("✅ Election manager started with automated heartbeat management")
return nil
}
func (r *SharedRuntime) initializeDHTStorage() error {
// === DHT Storage and Decision Publishing ===
var dhtNode *dht.LibP2PDHT
var encryptedStorage *dht.EncryptedDHTStorage
var encryptedStorage *dht.EncryptedDHTStorage
var decisionPublisher *ucxl.DecisionPublisher
if r.Config.V2.DHT.Enabled {
// Create DHT
var err error
@@ -361,14 +387,14 @@ func (r *SharedRuntime) initializeDHTStorage() error {
r.Logger.Warn("⚠️ Failed to create DHT: %v", err)
} else {
r.Logger.Info("🕸️ DHT initialized")
// Bootstrap DHT with BACKBEAT tracking
if r.BackbeatIntegration != nil {
operationID := fmt.Sprintf("dht-bootstrap-%d", time.Now().Unix())
if err := r.BackbeatIntegration.StartP2POperation(operationID, "dht_bootstrap", 4, nil); err == nil {
r.BackbeatIntegration.UpdateP2POperationPhase(operationID, backbeat.PhaseConnecting, 0)
}
if err := dhtNode.Bootstrap(); err != nil {
r.Logger.Warn("⚠️ DHT bootstrap failed: %v", err)
r.BackbeatIntegration.FailP2POperation(operationID, err.Error())
@@ -380,22 +406,22 @@ func (r *SharedRuntime) initializeDHTStorage() error {
r.Logger.Warn("⚠️ DHT bootstrap failed: %v", err)
}
}
// Connect to bootstrap peers if configured
// Connect to bootstrap peers if configured
for _, addrStr := range r.Config.V2.DHT.BootstrapPeers {
addr, err := multiaddr.NewMultiaddr(addrStr)
if err != nil {
r.Logger.Warn("⚠️ Invalid bootstrap address %s: %v", addrStr, err)
continue
}
// Extract peer info from multiaddr
info, err := peer.AddrInfoFromP2pAddr(addr)
if err != nil {
r.Logger.Warn("⚠️ Failed to parse peer info from %s: %v", addrStr, err)
continue
}
// Track peer discovery with BACKBEAT if available
if r.BackbeatIntegration != nil {
operationID := fmt.Sprintf("peer-discovery-%d", time.Now().Unix())
@@ -403,7 +429,7 @@ func (r *SharedRuntime) initializeDHTStorage() error {
"peer_addr": addrStr,
}); err == nil {
r.BackbeatIntegration.UpdateP2POperationPhase(operationID, backbeat.PhaseConnecting, 0)
if err := r.Node.Host().Connect(r.Context, *info); err != nil {
r.Logger.Warn("⚠️ Failed to connect to bootstrap peer %s: %v", addrStr, err)
r.BackbeatIntegration.FailP2POperation(operationID, err.Error())
@@ -420,20 +446,20 @@ func (r *SharedRuntime) initializeDHTStorage() error {
}
}
}
// Initialize encrypted storage
encryptedStorage = dht.NewEncryptedDHTStorage(
r.Context,
r.Node.Host(),
r.Node.Host(),
dhtNode,
r.Config,
r.Node.ID().ShortString(),
)
// Start cache cleanup
encryptedStorage.StartCacheCleanup(5 * time.Minute)
r.Logger.Info("🔐 Encrypted DHT storage initialized")
// Initialize decision publisher
decisionPublisher = ucxl.NewDecisionPublisher(
r.Context,
@@ -451,11 +477,24 @@ func (r *SharedRuntime) initializeDHTStorage() error {
r.DHTNode = dhtNode
r.EncryptedStorage = encryptedStorage
r.DecisionPublisher = decisionPublisher
return nil
}
func (r *SharedRuntime) initializeServices() error {
// Create simple task tracker ahead of coordinator so broadcasts stay accurate
taskTracker := &SimpleTaskTracker{
maxTasks: r.Config.Agent.MaxTasks,
activeTasks: make(map[string]bool),
}
// Connect decision publisher to task tracker if available
if r.DecisionPublisher != nil {
taskTracker.decisionPublisher = r.DecisionPublisher
r.Logger.Info("📤 Task completion decisions will be published to DHT")
}
r.TaskTracker = taskTracker
// === Task Coordination Integration ===
taskCoordinator := coordinator.NewTaskCoordinator(
r.Context,
@@ -464,8 +503,9 @@ func (r *SharedRuntime) initializeServices() error {
r.Config,
r.Node.ID().ShortString(),
nil, // HMMM router placeholder
taskTracker,
)
taskCoordinator.Start()
r.TaskCoordinator = taskCoordinator
r.Logger.Info("✅ Task coordination system active")
@@ -487,14 +527,14 @@ func (r *SharedRuntime) initializeServices() error {
if storageDir == "" {
storageDir = filepath.Join(os.TempDir(), "chorus-ucxi-storage")
}
storage, err := ucxi.NewBasicContentStorage(storageDir)
if err != nil {
r.Logger.Warn("⚠️ Failed to create UCXI storage: %v", err)
} else {
resolver := ucxi.NewBasicAddressResolver(r.Node.ID().ShortString())
resolver.SetDefaultTTL(r.Config.UCXL.Resolution.CacheTTL)
ucxiConfig := ucxi.ServerConfig{
Port: r.Config.UCXL.Server.Port,
BasePath: r.Config.UCXL.Server.BasePath,
@@ -502,7 +542,7 @@ func (r *SharedRuntime) initializeServices() error {
Storage: storage,
Logger: ucxi.SimpleLogger{},
}
ucxiServer = ucxi.NewServer(ucxiConfig)
go func() {
r.Logger.Info("🔗 UCXI server starting on :%d", r.Config.UCXL.Server.Port)
@@ -515,35 +555,41 @@ func (r *SharedRuntime) initializeServices() error {
r.Logger.Info("⚪ UCXI server disabled")
}
r.UCXIServer = ucxiServer
// Create simple task tracker
taskTracker := &SimpleTaskTracker{
maxTasks: r.Config.Agent.MaxTasks,
activeTasks: make(map[string]bool),
}
// Connect decision publisher to task tracker if available
if r.DecisionPublisher != nil {
taskTracker.decisionPublisher = r.DecisionPublisher
r.Logger.Info("📤 Task completion decisions will be published to DHT")
}
r.TaskTracker = taskTracker
return nil
}
func (r *SharedRuntime) handleShhhFindings(ctx context.Context, findings []shhh.Finding) {
if r == nil || r.Metrics == nil {
return
}
for _, finding := range findings {
r.Metrics.IncrementSHHHFindings(finding.Rule, string(finding.Severity), finding.Count)
}
}
type shhhAuditSink struct {
logger *SimpleLogger
}
func (s *shhhAuditSink) RecordRedaction(_ context.Context, event shhh.AuditEvent) {
if s == nil || s.logger == nil {
return
}
s.logger.Warn("🔒 SHHH redaction applied (rule=%s severity=%s path=%s)", event.Rule, event.Severity, event.Path)
}
// initializeAIProvider configures the reasoning engine with the appropriate AI provider
func initializeAIProvider(cfg *config.Config, logger *SimpleLogger) error {
// Set the AI provider
reasoning.SetAIProvider(cfg.AI.Provider)
// Configure the selected provider
switch cfg.AI.Provider {
case "resetdata":
if cfg.AI.ResetData.APIKey == "" {
return fmt.Errorf("RESETDATA_API_KEY environment variable is required for resetdata provider")
}
resetdataConfig := reasoning.ResetDataConfig{
BaseURL: cfg.AI.ResetData.BaseURL,
APIKey: cfg.AI.ResetData.APIKey,
@@ -551,19 +597,19 @@ func initializeAIProvider(cfg *config.Config, logger *SimpleLogger) error {
Timeout: cfg.AI.ResetData.Timeout,
}
reasoning.SetResetDataConfig(resetdataConfig)
logger.Info("🌐 ResetData AI provider configured - Endpoint: %s, Model: %s",
logger.Info("🌐 ResetData AI provider configured - Endpoint: %s, Model: %s",
cfg.AI.ResetData.BaseURL, cfg.AI.ResetData.Model)
case "ollama":
reasoning.SetOllamaEndpoint(cfg.AI.Ollama.Endpoint)
logger.Info("🦙 Ollama AI provider configured - Endpoint: %s", cfg.AI.Ollama.Endpoint)
default:
logger.Warn("⚠️ Unknown AI provider '%s', defaulting to resetdata", cfg.AI.Provider)
if cfg.AI.ResetData.APIKey == "" {
return fmt.Errorf("RESETDATA_API_KEY environment variable is required for default resetdata provider")
}
resetdataConfig := reasoning.ResetDataConfig{
BaseURL: cfg.AI.ResetData.BaseURL,
APIKey: cfg.AI.ResetData.APIKey,
@@ -573,7 +619,7 @@ func initializeAIProvider(cfg *config.Config, logger *SimpleLogger) error {
reasoning.SetResetDataConfig(resetdataConfig)
reasoning.SetAIProvider("resetdata")
}
// Configure model selection
reasoning.SetModelConfig(
cfg.Agent.Models,