Integrate BACKBEAT SDK and resolve KACHING license validation

Major integrations and fixes: - Added BACKBEAT SDK integration for P2P operation timing - Implemented beat-aware status tracking for distributed operations - Added Docker secrets support for secure license management - Resolved KACHING license validation via HTTPS/TLS - Updated docker-compose configuration for clean stack deployment - Disabled rollback policies to prevent deployment failures - Added license credential storage (CHORUS-DEV-MULTI-001) Technical improvements: - BACKBEAT P2P operation tracking with phase management - Enhanced configuration system with file-based secrets - Improved error handling for license validation - Clean separation of KACHING and CHORUS deployment stacks 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-06 07:56:26 +10:00
parent 543ab216f9
commit 9bdcbe0447
4730 changed files with 1480093 additions and 1916 deletions
--- a/pkg/config/security.go
+++ b/pkg/config/security.go
@@ -0,0 +1,133 @@
+package config
+
+import "time"
+
+// Authority levels for roles
+const (
+	AuthorityReadOnly   = "readonly"
+	AuthoritySuggestion = "suggestion"
+	AuthorityFull       = "full"
+	AuthorityAdmin      = "admin"
+)
+
+// SecurityConfig defines security-related configuration
+type SecurityConfig struct {
+	KeyRotationDays  int           `yaml:"key_rotation_days"`
+	AuditLogging     bool          `yaml:"audit_logging"`
+	AuditPath        string        `yaml:"audit_path"`
+	ElectionConfig   ElectionConfig `yaml:"election"`
+}
+
+// ElectionConfig defines election timing and behavior settings
+type ElectionConfig struct {
+	DiscoveryTimeout   time.Duration `yaml:"discovery_timeout"`
+	HeartbeatTimeout   time.Duration `yaml:"heartbeat_timeout"`
+	ElectionTimeout    time.Duration `yaml:"election_timeout"`
+	DiscoveryBackoff   time.Duration `yaml:"discovery_backoff"`
+	LeadershipScoring  *LeadershipScoring `yaml:"leadership_scoring,omitempty"`
+}
+
+// LeadershipScoring defines weights for election scoring
+type LeadershipScoring struct {
+	UptimeWeight      float64 `yaml:"uptime_weight"`
+	CapabilityWeight  float64 `yaml:"capability_weight"`
+	ExperienceWeight  float64 `yaml:"experience_weight"`
+	LoadWeight        float64 `yaml:"load_weight"`
+}
+
+// AgeKeyPair represents an Age encryption key pair
+type AgeKeyPair struct {
+	PublicKey  string `yaml:"public_key"`
+	PrivateKey string `yaml:"private_key"`
+}
+
+// RoleDefinition represents a role configuration
+type RoleDefinition struct {
+	Name          string      `yaml:"name"`
+	Description   string      `yaml:"description"`
+	Capabilities  []string    `yaml:"capabilities"`
+	AccessLevel   string      `yaml:"access_level"`
+	AuthorityLevel string     `yaml:"authority_level"`
+	Keys          *AgeKeyPair `yaml:"keys,omitempty"`
+	AgeKeys       *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name
+	CanDecrypt    []string    `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
+}
+
+// GetPredefinedRoles returns the predefined roles for the system
+func GetPredefinedRoles() map[string]*RoleDefinition {
+	return map[string]*RoleDefinition{
+		"project_manager": {
+			Name:           "project_manager",
+			Description:    "Project coordination and management",
+			Capabilities:   []string{"coordination", "planning", "oversight"},
+			AccessLevel:    "high",
+			AuthorityLevel: AuthorityAdmin,
+			CanDecrypt:     []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"},
+		},
+		"backend_developer": {
+			Name:           "backend_developer", 
+			Description:    "Backend development and API work",
+			Capabilities:   []string{"backend", "api", "database"},
+			AccessLevel:    "medium",
+			AuthorityLevel: AuthorityFull,
+			CanDecrypt:     []string{"backend_developer"},
+		},
+		"frontend_developer": {
+			Name:           "frontend_developer",
+			Description:    "Frontend UI development",
+			Capabilities:   []string{"frontend", "ui", "components"},
+			AccessLevel:    "medium",
+			AuthorityLevel: AuthorityFull,
+			CanDecrypt:     []string{"frontend_developer"},
+		},
+		"devops_engineer": {
+			Name:           "devops_engineer",
+			Description:    "Infrastructure and deployment",
+			Capabilities:   []string{"infrastructure", "deployment", "monitoring"},
+			AccessLevel:    "high",
+			AuthorityLevel: AuthorityFull,
+			CanDecrypt:     []string{"devops_engineer", "backend_developer"},
+		},
+		"security_engineer": {
+			Name:           "security_engineer",
+			Description:    "Security oversight and hardening", 
+			Capabilities:   []string{"security", "audit", "compliance"},
+			AccessLevel:    "high",
+			AuthorityLevel: AuthorityAdmin,
+			CanDecrypt:     []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"},
+		},
+	}
+}
+
+// CanDecryptRole checks if the current agent can decrypt content for a target role
+func (c *Config) CanDecryptRole(targetRole string) (bool, error) {
+	roles := GetPredefinedRoles()
+	currentRole, exists := roles[c.Agent.Role]
+	if !exists {
+		return false, nil
+	}
+	
+	targetRoleDef, exists := roles[targetRole]
+	if !exists {
+		return false, nil
+	}
+	
+	// Simple access level check
+	currentLevel := getAccessLevelValue(currentRole.AccessLevel)
+	targetLevel := getAccessLevelValue(targetRoleDef.AccessLevel)
+	
+	return currentLevel >= targetLevel, nil
+}
+
+func getAccessLevelValue(level string) int {
+	switch level {
+	case "low":
+		return 1
+	case "medium":
+		return 2
+	case "high":
+		return 3
+	default:
+		return 0
+	}
+}