package config import "time" // Authority levels for roles const ( AuthorityReadOnly = "readonly" AuthoritySuggestion = "suggestion" AuthorityFull = "full" AuthorityAdmin = "admin" ) // SecurityConfig defines security-related configuration type SecurityConfig struct { KeyRotationDays int `yaml:"key_rotation_days"` AuditLogging bool `yaml:"audit_logging"` AuditPath string `yaml:"audit_path"` ElectionConfig ElectionConfig `yaml:"election"` } // ElectionConfig defines election timing and behavior settings type ElectionConfig struct { DiscoveryTimeout time.Duration `yaml:"discovery_timeout"` HeartbeatTimeout time.Duration `yaml:"heartbeat_timeout"` ElectionTimeout time.Duration `yaml:"election_timeout"` DiscoveryBackoff time.Duration `yaml:"discovery_backoff"` LeadershipScoring *LeadershipScoring `yaml:"leadership_scoring,omitempty"` } // LeadershipScoring defines weights for election scoring type LeadershipScoring struct { UptimeWeight float64 `yaml:"uptime_weight"` CapabilityWeight float64 `yaml:"capability_weight"` ExperienceWeight float64 `yaml:"experience_weight"` LoadWeight float64 `yaml:"load_weight"` } // AgeKeyPair represents an Age encryption key pair type AgeKeyPair struct { PublicKey string `yaml:"public_key"` PrivateKey string `yaml:"private_key"` } // RoleDefinition represents a role configuration type RoleDefinition struct { Name string `yaml:"name"` Description string `yaml:"description"` Capabilities []string `yaml:"capabilities"` AccessLevel string `yaml:"access_level"` AuthorityLevel string `yaml:"authority_level"` Keys *AgeKeyPair `yaml:"keys,omitempty"` AgeKeys *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name CanDecrypt []string `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt } // GetPredefinedRoles returns the predefined roles for the system func GetPredefinedRoles() map[string]*RoleDefinition { return map[string]*RoleDefinition{ "project_manager": { Name: "project_manager", Description: "Project coordination and management", Capabilities: []string{"coordination", "planning", "oversight"}, AccessLevel: "high", AuthorityLevel: AuthorityAdmin, CanDecrypt: []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"}, }, "backend_developer": { Name: "backend_developer", Description: "Backend development and API work", Capabilities: []string{"backend", "api", "database"}, AccessLevel: "medium", AuthorityLevel: AuthorityFull, CanDecrypt: []string{"backend_developer"}, }, "frontend_developer": { Name: "frontend_developer", Description: "Frontend UI development", Capabilities: []string{"frontend", "ui", "components"}, AccessLevel: "medium", AuthorityLevel: AuthorityFull, CanDecrypt: []string{"frontend_developer"}, }, "devops_engineer": { Name: "devops_engineer", Description: "Infrastructure and deployment", Capabilities: []string{"infrastructure", "deployment", "monitoring"}, AccessLevel: "high", AuthorityLevel: AuthorityFull, CanDecrypt: []string{"devops_engineer", "backend_developer"}, }, "security_engineer": { Name: "security_engineer", Description: "Security oversight and hardening", Capabilities: []string{"security", "audit", "compliance"}, AccessLevel: "high", AuthorityLevel: AuthorityAdmin, CanDecrypt: []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"}, }, "security_expert": { Name: "security_expert", Description: "Advanced security analysis and policy work", Capabilities: []string{"security", "policy", "response"}, AccessLevel: "high", AuthorityLevel: AuthorityAdmin, CanDecrypt: []string{"security_expert", "security_engineer", "project_manager"}, }, "senior_software_architect": { Name: "senior_software_architect", Description: "Architecture governance and system design", Capabilities: []string{"architecture", "design", "coordination"}, AccessLevel: "high", AuthorityLevel: AuthorityAdmin, CanDecrypt: []string{"senior_software_architect", "project_manager", "backend_developer", "frontend_developer"}, }, "qa_engineer": { Name: "qa_engineer", Description: "Quality assurance and testing", Capabilities: []string{"testing", "validation"}, AccessLevel: "medium", AuthorityLevel: AuthorityFull, CanDecrypt: []string{"qa_engineer", "backend_developer", "frontend_developer"}, }, "readonly_user": { Name: "readonly_user", Description: "Read-only observer with audit access", Capabilities: []string{"observation"}, AccessLevel: "low", AuthorityLevel: AuthorityReadOnly, CanDecrypt: []string{"readonly_user"}, }, "suggestion_only_role": { Name: "suggestion_only_role", Description: "Can propose suggestions but not execute", Capabilities: []string{"recommendation"}, AccessLevel: "low", AuthorityLevel: AuthoritySuggestion, CanDecrypt: []string{"suggestion_only_role"}, }, } } // CanDecryptRole checks if the current agent can decrypt content for a target role func (c *Config) CanDecryptRole(targetRole string) (bool, error) { roles := GetPredefinedRoles() currentRole, exists := roles[c.Agent.Role] if !exists { return false, nil } targetRoleDef, exists := roles[targetRole] if !exists { return false, nil } // Simple access level check currentLevel := getAccessLevelValue(currentRole.AccessLevel) targetLevel := getAccessLevelValue(targetRoleDef.AccessLevel) return currentLevel >= targetLevel, nil } func getAccessLevelValue(level string) int { switch level { case "low": return 1 case "medium": return 2 case "high": return 3 default: return 0 } }