Harden CHORUS security and messaging stack

2025-09-20 23:21:35 +10:00
parent 57751f277a
commit 1bb736c09a
25 changed files with 2793 additions and 2474 deletions
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -28,17 +28,18 @@ type Config struct {

 // AgentConfig defines agent-specific settings
 type AgentConfig struct {
-	ID                       string   `yaml:"id"`
-	Specialization           string   `yaml:"specialization"`
-	MaxTasks                 int      `yaml:"max_tasks"`
-	Capabilities             []string `yaml:"capabilities"`
-	Models                   []string `yaml:"models"`
-	Role                     string   `yaml:"role"`
-	Expertise                []string `yaml:"expertise"`
-	ReportsTo                string   `yaml:"reports_to"`
-	Deliverables             []string `yaml:"deliverables"`
-	ModelSelectionWebhook    string   `yaml:"model_selection_webhook"`
-	DefaultReasoningModel    string   `yaml:"default_reasoning_model"`
+	ID                    string   `yaml:"id"`
+	Specialization        string   `yaml:"specialization"`
+	MaxTasks              int      `yaml:"max_tasks"`
+	Capabilities          []string `yaml:"capabilities"`
+	Models                []string `yaml:"models"`
+	Role                  string   `yaml:"role"`
+	Project               string   `yaml:"project"`
+	Expertise             []string `yaml:"expertise"`
+	ReportsTo             string   `yaml:"reports_to"`
+	Deliverables          []string `yaml:"deliverables"`
+	ModelSelectionWebhook string   `yaml:"model_selection_webhook"`
+	DefaultReasoningModel string   `yaml:"default_reasoning_model"`
 }

 // NetworkConfig defines network and API settings
@@ -65,9 +66,9 @@ type LicenseConfig struct {

 // AIConfig defines AI service settings
 type AIConfig struct {
-	Provider   string          `yaml:"provider"`
-	Ollama     OllamaConfig    `yaml:"ollama"`
-	ResetData  ResetDataConfig `yaml:"resetdata"`
+	Provider  string          `yaml:"provider"`
+	Ollama    OllamaConfig    `yaml:"ollama"`
+	ResetData ResetDataConfig `yaml:"resetdata"`
 }

 // OllamaConfig defines Ollama-specific settings
@@ -78,10 +79,10 @@ type OllamaConfig struct {

 // ResetDataConfig defines ResetData LLM service settings
 type ResetDataConfig struct {
-	BaseURL   string        `yaml:"base_url"`
-	APIKey    string        `yaml:"api_key"`
-	Model     string        `yaml:"model"`
-	Timeout   time.Duration `yaml:"timeout"`
+	BaseURL string        `yaml:"base_url"`
+	APIKey  string        `yaml:"api_key"`
+	Model   string        `yaml:"model"`
+	Timeout time.Duration `yaml:"timeout"`
 }

 // LoggingConfig defines logging settings
@@ -103,9 +104,9 @@ type DHTConfig struct {

 // UCXLConfig defines UCXL protocol settings
 type UCXLConfig struct {
-	Enabled    bool         `yaml:"enabled"`
-	Server     ServerConfig `yaml:"server"`
-	Storage    StorageConfig `yaml:"storage"`
+	Enabled    bool             `yaml:"enabled"`
+	Server     ServerConfig     `yaml:"server"`
+	Storage    StorageConfig    `yaml:"storage"`
 	Resolution ResolutionConfig `yaml:"resolution"`
 }

@@ -133,25 +134,26 @@ type SlurpConfig struct {

 // WHOOSHAPIConfig defines WHOOSH API integration settings
 type WHOOSHAPIConfig struct {
-	URL      string `yaml:"url"`
-	BaseURL  string `yaml:"base_url"`
-	Token    string `yaml:"token"`
-	Enabled  bool   `yaml:"enabled"`
+	URL     string `yaml:"url"`
+	BaseURL string `yaml:"base_url"`
+	Token   string `yaml:"token"`
+	Enabled bool   `yaml:"enabled"`
 }

 // LoadFromEnvironment loads configuration from environment variables
 func LoadFromEnvironment() (*Config, error) {
 	cfg := &Config{
 		Agent: AgentConfig{
-			ID:             getEnvOrDefault("CHORUS_AGENT_ID", ""),
-			Specialization: getEnvOrDefault("CHORUS_SPECIALIZATION", "general_developer"),
-			MaxTasks:       getEnvIntOrDefault("CHORUS_MAX_TASKS", 3),
-			Capabilities:   getEnvArrayOrDefault("CHORUS_CAPABILITIES", []string{"general_development", "task_coordination"}),
-			Models:         getEnvArrayOrDefault("CHORUS_MODELS", []string{"meta/llama-3.1-8b-instruct"}),
-			Role:           getEnvOrDefault("CHORUS_ROLE", ""),
-			Expertise:      getEnvArrayOrDefault("CHORUS_EXPERTISE", []string{}),
-			ReportsTo:      getEnvOrDefault("CHORUS_REPORTS_TO", ""),
-			Deliverables:   getEnvArrayOrDefault("CHORUS_DELIVERABLES", []string{}),
+			ID:                    getEnvOrDefault("CHORUS_AGENT_ID", ""),
+			Specialization:        getEnvOrDefault("CHORUS_SPECIALIZATION", "general_developer"),
+			MaxTasks:              getEnvIntOrDefault("CHORUS_MAX_TASKS", 3),
+			Capabilities:          getEnvArrayOrDefault("CHORUS_CAPABILITIES", []string{"general_development", "task_coordination"}),
+			Models:                getEnvArrayOrDefault("CHORUS_MODELS", []string{"meta/llama-3.1-8b-instruct"}),
+			Role:                  getEnvOrDefault("CHORUS_ROLE", ""),
+			Project:               getEnvOrDefault("CHORUS_PROJECT", "chorus"),
+			Expertise:             getEnvArrayOrDefault("CHORUS_EXPERTISE", []string{}),
+			ReportsTo:             getEnvOrDefault("CHORUS_REPORTS_TO", ""),
+			Deliverables:          getEnvArrayOrDefault("CHORUS_DELIVERABLES", []string{}),
 			ModelSelectionWebhook: getEnvOrDefault("CHORUS_MODEL_SELECTION_WEBHOOK", ""),
 			DefaultReasoningModel: getEnvOrDefault("CHORUS_DEFAULT_REASONING_MODEL", "meta/llama-3.1-8b-instruct"),
 		},
@@ -214,10 +216,10 @@ func LoadFromEnvironment() (*Config, error) {
 			AuditLogging:    getEnvBoolOrDefault("CHORUS_AUDIT_LOGGING", true),
 			AuditPath:       getEnvOrDefault("CHORUS_AUDIT_PATH", "/tmp/chorus-audit.log"),
 			ElectionConfig: ElectionConfig{
-				DiscoveryTimeout:  getEnvDurationOrDefault("CHORUS_DISCOVERY_TIMEOUT", 10*time.Second),
-				HeartbeatTimeout:  getEnvDurationOrDefault("CHORUS_HEARTBEAT_TIMEOUT", 30*time.Second),
-				ElectionTimeout:   getEnvDurationOrDefault("CHORUS_ELECTION_TIMEOUT", 60*time.Second),
-				DiscoveryBackoff:  getEnvDurationOrDefault("CHORUS_DISCOVERY_BACKOFF", 5*time.Second),
+				DiscoveryTimeout: getEnvDurationOrDefault("CHORUS_DISCOVERY_TIMEOUT", 10*time.Second),
+				HeartbeatTimeout: getEnvDurationOrDefault("CHORUS_HEARTBEAT_TIMEOUT", 30*time.Second),
+				ElectionTimeout:  getEnvDurationOrDefault("CHORUS_ELECTION_TIMEOUT", 60*time.Second),
+				DiscoveryBackoff: getEnvDurationOrDefault("CHORUS_DISCOVERY_BACKOFF", 5*time.Second),
 				LeadershipScoring: &LeadershipScoring{
 					UptimeWeight:     0.4,
 					CapabilityWeight: 0.3,
@@ -247,7 +249,7 @@ func (c *Config) Validate() error {
 	if c.License.LicenseID == "" {
 		return fmt.Errorf("CHORUS_LICENSE_ID is required")
 	}
-	
+
 	if c.Agent.ID == "" {
 		// Auto-generate agent ID if not provided
 		hostname, _ := os.Hostname()
@@ -258,7 +260,7 @@ func (c *Config) Validate() error {
 			c.Agent.ID = fmt.Sprintf("chorus-%s", hostname)
 		}
 	}
-	
+
 	return nil
 }

@@ -329,14 +331,14 @@ func getEnvOrFileContent(envKey, fileEnvKey string) string {
 	if value := os.Getenv(envKey); value != "" {
 		return value
 	}
-	
+
 	// Then try reading from file path specified in fileEnvKey
 	if filePath := os.Getenv(fileEnvKey); filePath != "" {
 		if content, err := ioutil.ReadFile(filePath); err == nil {
 			return strings.TrimSpace(string(content))
 		}
 	}
-	
+
 	return ""
 }

@@ -360,4 +362,4 @@ func LoadConfig(configPath string) (*Config, error) {
 func SaveConfig(cfg *Config, configPath string) error {
 	// For containers, configuration is environment-based, so this is a no-op
 	return nil
-}
+}
--- a/pkg/config/security.go
+++ b/pkg/config/security.go
@@ -12,27 +12,27 @@ const (

 // SecurityConfig defines security-related configuration
 type SecurityConfig struct {
-	KeyRotationDays  int           `yaml:"key_rotation_days"`
-	AuditLogging     bool          `yaml:"audit_logging"`
-	AuditPath        string        `yaml:"audit_path"`
-	ElectionConfig   ElectionConfig `yaml:"election"`
+	KeyRotationDays int            `yaml:"key_rotation_days"`
+	AuditLogging    bool           `yaml:"audit_logging"`
+	AuditPath       string         `yaml:"audit_path"`
+	ElectionConfig  ElectionConfig `yaml:"election"`
 }

 // ElectionConfig defines election timing and behavior settings
 type ElectionConfig struct {
-	DiscoveryTimeout   time.Duration `yaml:"discovery_timeout"`
-	HeartbeatTimeout   time.Duration `yaml:"heartbeat_timeout"`
-	ElectionTimeout    time.Duration `yaml:"election_timeout"`
-	DiscoveryBackoff   time.Duration `yaml:"discovery_backoff"`
-	LeadershipScoring  *LeadershipScoring `yaml:"leadership_scoring,omitempty"`
+	DiscoveryTimeout  time.Duration      `yaml:"discovery_timeout"`
+	HeartbeatTimeout  time.Duration      `yaml:"heartbeat_timeout"`
+	ElectionTimeout   time.Duration      `yaml:"election_timeout"`
+	DiscoveryBackoff  time.Duration      `yaml:"discovery_backoff"`
+	LeadershipScoring *LeadershipScoring `yaml:"leadership_scoring,omitempty"`
 }

 // LeadershipScoring defines weights for election scoring
 type LeadershipScoring struct {
-	UptimeWeight      float64 `yaml:"uptime_weight"`
-	CapabilityWeight  float64 `yaml:"capability_weight"`
-	ExperienceWeight  float64 `yaml:"experience_weight"`
-	LoadWeight        float64 `yaml:"load_weight"`
+	UptimeWeight     float64 `yaml:"uptime_weight"`
+	CapabilityWeight float64 `yaml:"capability_weight"`
+	ExperienceWeight float64 `yaml:"experience_weight"`
+	LoadWeight       float64 `yaml:"load_weight"`
 }

 // AgeKeyPair represents an Age encryption key pair
@@ -43,14 +43,14 @@ type AgeKeyPair struct {

 // RoleDefinition represents a role configuration
 type RoleDefinition struct {
-	Name          string      `yaml:"name"`
-	Description   string      `yaml:"description"`
-	Capabilities  []string    `yaml:"capabilities"`
-	AccessLevel   string      `yaml:"access_level"`
-	AuthorityLevel string     `yaml:"authority_level"`
-	Keys          *AgeKeyPair `yaml:"keys,omitempty"`
-	AgeKeys       *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name
-	CanDecrypt    []string    `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
+	Name           string      `yaml:"name"`
+	Description    string      `yaml:"description"`
+	Capabilities   []string    `yaml:"capabilities"`
+	AccessLevel    string      `yaml:"access_level"`
+	AuthorityLevel string      `yaml:"authority_level"`
+	Keys           *AgeKeyPair `yaml:"keys,omitempty"`
+	AgeKeys        *AgeKeyPair `yaml:"age_keys,omitempty"`    // Legacy field name
+	CanDecrypt     []string    `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
 }

 // GetPredefinedRoles returns the predefined roles for the system
@@ -65,7 +65,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 			CanDecrypt:     []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"},
 		},
 		"backend_developer": {
-			Name:           "backend_developer", 
+			Name:           "backend_developer",
 			Description:    "Backend development and API work",
 			Capabilities:   []string{"backend", "api", "database"},
 			AccessLevel:    "medium",
@@ -90,12 +90,52 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
 		},
 		"security_engineer": {
 			Name:           "security_engineer",
-			Description:    "Security oversight and hardening", 
+			Description:    "Security oversight and hardening",
 			Capabilities:   []string{"security", "audit", "compliance"},
 			AccessLevel:    "high",
 			AuthorityLevel: AuthorityAdmin,
 			CanDecrypt:     []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"},
 		},
+		"security_expert": {
+			Name:           "security_expert",
+			Description:    "Advanced security analysis and policy work",
+			Capabilities:   []string{"security", "policy", "response"},
+			AccessLevel:    "high",
+			AuthorityLevel: AuthorityAdmin,
+			CanDecrypt:     []string{"security_expert", "security_engineer", "project_manager"},
+		},
+		"senior_software_architect": {
+			Name:           "senior_software_architect",
+			Description:    "Architecture governance and system design",
+			Capabilities:   []string{"architecture", "design", "coordination"},
+			AccessLevel:    "high",
+			AuthorityLevel: AuthorityAdmin,
+			CanDecrypt:     []string{"senior_software_architect", "project_manager", "backend_developer", "frontend_developer"},
+		},
+		"qa_engineer": {
+			Name:           "qa_engineer",
+			Description:    "Quality assurance and testing",
+			Capabilities:   []string{"testing", "validation"},
+			AccessLevel:    "medium",
+			AuthorityLevel: AuthorityFull,
+			CanDecrypt:     []string{"qa_engineer", "backend_developer", "frontend_developer"},
+		},
+		"readonly_user": {
+			Name:           "readonly_user",
+			Description:    "Read-only observer with audit access",
+			Capabilities:   []string{"observation"},
+			AccessLevel:    "low",
+			AuthorityLevel: AuthorityReadOnly,
+			CanDecrypt:     []string{"readonly_user"},
+		},
+		"suggestion_only_role": {
+			Name:           "suggestion_only_role",
+			Description:    "Can propose suggestions but not execute",
+			Capabilities:   []string{"recommendation"},
+			AccessLevel:    "low",
+			AuthorityLevel: AuthoritySuggestion,
+			CanDecrypt:     []string{"suggestion_only_role"},
+		},
 	}
 }

@@ -106,16 +146,16 @@ func (c *Config) CanDecryptRole(targetRole string) (bool, error) {
 	if !exists {
 		return false, nil
 	}
-	
+
 	targetRoleDef, exists := roles[targetRole]
 	if !exists {
 		return false, nil
 	}
-	
+
 	// Simple access level check
 	currentLevel := getAccessLevelValue(currentRole.AccessLevel)
 	targetLevel := getAccessLevelValue(targetRoleDef.AccessLevel)
-	
+
 	return currentLevel >= targetLevel, nil
 }

@@ -130,4 +170,4 @@ func getAccessLevelValue(level string) int {
 	default:
 		return 0
 	}
-}
+}