tony/CHORUS
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CHORUS security and messaging stack

Browse Source
This commit is contained in:
anthonyrawlins
2025-09-20 23:21:35 +10:00
parent 57751f277a
commit 1bb736c09a
25 changed files with 2793 additions and 2474 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
pkg/config/security.go
View File

@@ -12,27 +12,27 @@ const (
// SecurityConfig defines security-related configuration
type SecurityConfig struct {
KeyRotationDays int `yaml:"key_rotation_days"`
AuditLogging bool `yaml:"audit_logging"`
AuditPath string `yaml:"audit_path"`
ElectionConfig ElectionConfig `yaml:"election"`
KeyRotationDays int `yaml:"key_rotation_days"`
AuditLogging bool `yaml:"audit_logging"`
AuditPath string `yaml:"audit_path"`
ElectionConfig ElectionConfig `yaml:"election"`
}
// ElectionConfig defines election timing and behavior settings
type ElectionConfig struct {
DiscoveryTimeout time.Duration `yaml:"discovery_timeout"`
HeartbeatTimeout time.Duration `yaml:"heartbeat_timeout"`
ElectionTimeout time.Duration `yaml:"election_timeout"`
DiscoveryBackoff time.Duration `yaml:"discovery_backoff"`
LeadershipScoring *LeadershipScoring `yaml:"leadership_scoring,omitempty"`
DiscoveryTimeout time.Duration `yaml:"discovery_timeout"`
HeartbeatTimeout time.Duration `yaml:"heartbeat_timeout"`
ElectionTimeout time.Duration `yaml:"election_timeout"`
DiscoveryBackoff time.Duration `yaml:"discovery_backoff"`
LeadershipScoring *LeadershipScoring `yaml:"leadership_scoring,omitempty"`
}
// LeadershipScoring defines weights for election scoring
type LeadershipScoring struct {
UptimeWeight float64 `yaml:"uptime_weight"`
CapabilityWeight float64 `yaml:"capability_weight"`
ExperienceWeight float64 `yaml:"experience_weight"`
LoadWeight float64 `yaml:"load_weight"`
UptimeWeight float64 `yaml:"uptime_weight"`
CapabilityWeight float64 `yaml:"capability_weight"`
ExperienceWeight float64 `yaml:"experience_weight"`
LoadWeight float64 `yaml:"load_weight"`
}
// AgeKeyPair represents an Age encryption key pair
@@ -43,14 +43,14 @@ type AgeKeyPair struct {
// RoleDefinition represents a role configuration
type RoleDefinition struct {
Name string `yaml:"name"`
Description string `yaml:"description"`
Capabilities []string `yaml:"capabilities"`
AccessLevel string `yaml:"access_level"`
AuthorityLevel string `yaml:"authority_level"`
Keys *AgeKeyPair `yaml:"keys,omitempty"`
AgeKeys *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name
CanDecrypt []string `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
Name string `yaml:"name"`
Description string `yaml:"description"`
Capabilities []string `yaml:"capabilities"`
AccessLevel string `yaml:"access_level"`
AuthorityLevel string `yaml:"authority_level"`
Keys *AgeKeyPair `yaml:"keys,omitempty"`
AgeKeys *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name
CanDecrypt []string `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
}
// GetPredefinedRoles returns the predefined roles for the system
@@ -65,7 +65,7 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
CanDecrypt: []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"},
},
"backend_developer": {
Name: "backend_developer",
Name: "backend_developer",
Description: "Backend development and API work",
Capabilities: []string{"backend", "api", "database"},
AccessLevel: "medium",
@@ -90,12 +90,52 @@ func GetPredefinedRoles() map[string]*RoleDefinition {
},
"security_engineer": {
Name: "security_engineer",
Description: "Security oversight and hardening",
Description: "Security oversight and hardening",
Capabilities: []string{"security", "audit", "compliance"},
AccessLevel: "high",
AuthorityLevel: AuthorityAdmin,
CanDecrypt: []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"},
},
"security_expert": {
Name: "security_expert",
Description: "Advanced security analysis and policy work",
Capabilities: []string{"security", "policy", "response"},
AccessLevel: "high",
AuthorityLevel: AuthorityAdmin,
CanDecrypt: []string{"security_expert", "security_engineer", "project_manager"},
},
"senior_software_architect": {
Name: "senior_software_architect",
Description: "Architecture governance and system design",
Capabilities: []string{"architecture", "design", "coordination"},
AccessLevel: "high",
AuthorityLevel: AuthorityAdmin,
CanDecrypt: []string{"senior_software_architect", "project_manager", "backend_developer", "frontend_developer"},
},
"qa_engineer": {
Name: "qa_engineer",
Description: "Quality assurance and testing",
Capabilities: []string{"testing", "validation"},
AccessLevel: "medium",
AuthorityLevel: AuthorityFull,
CanDecrypt: []string{"qa_engineer", "backend_developer", "frontend_developer"},
},
"readonly_user": {
Name: "readonly_user",
Description: "Read-only observer with audit access",
Capabilities: []string{"observation"},
AccessLevel: "low",
AuthorityLevel: AuthorityReadOnly,
CanDecrypt: []string{"readonly_user"},
},
"suggestion_only_role": {
Name: "suggestion_only_role",
Description: "Can propose suggestions but not execute",
Capabilities: []string{"recommendation"},
AccessLevel: "low",
AuthorityLevel: AuthoritySuggestion,
CanDecrypt: []string{"suggestion_only_role"},
},
}
}
@@ -106,16 +146,16 @@ func (c *Config) CanDecryptRole(targetRole string) (bool, error) {
if !exists {
return false, nil
}
targetRoleDef, exists := roles[targetRole]
if !exists {
return false, nil
}
// Simple access level check
currentLevel := getAccessLevelValue(currentRole.AccessLevel)
targetLevel := getAccessLevelValue(targetRoleDef.AccessLevel)
return currentLevel >= targetLevel, nil
}
@@ -130,4 +170,4 @@ func getAccessLevelValue(level string) int {
default:
return 0
}
}
}