package config import "time" // Authority levels for roles const ( AuthorityReadOnly = "readonly" AuthoritySuggestion = "suggestion" AuthorityFull = "full" AuthorityAdmin = "admin" ) // SecurityConfig defines security-related configuration type SecurityConfig struct { KeyRotationDays int `yaml:"key_rotation_days"` AuditLogging bool `yaml:"audit_logging"` AuditPath string `yaml:"audit_path"` ElectionConfig ElectionConfig `yaml:"election"` } // ElectionConfig defines election timing and behavior settings type ElectionConfig struct { DiscoveryTimeout time.Duration `yaml:"discovery_timeout"` HeartbeatTimeout time.Duration `yaml:"heartbeat_timeout"` ElectionTimeout time.Duration `yaml:"election_timeout"` DiscoveryBackoff time.Duration `yaml:"discovery_backoff"` LeadershipScoring *LeadershipScoring `yaml:"leadership_scoring,omitempty"` } // LeadershipScoring defines weights for election scoring type LeadershipScoring struct { UptimeWeight float64 `yaml:"uptime_weight"` CapabilityWeight float64 `yaml:"capability_weight"` ExperienceWeight float64 `yaml:"experience_weight"` LoadWeight float64 `yaml:"load_weight"` } // AgeKeyPair represents an Age encryption key pair type AgeKeyPair struct { PublicKey string `yaml:"public_key"` PrivateKey string `yaml:"private_key"` } // RoleDefinition represents a role configuration type RoleDefinition struct { Name string `yaml:"name"` Description string `yaml:"description"` Capabilities []string `yaml:"capabilities"` AccessLevel string `yaml:"access_level"` AuthorityLevel string `yaml:"authority_level"` Keys *AgeKeyPair `yaml:"keys,omitempty"` AgeKeys *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name CanDecrypt []string `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt } // GetPredefinedRoles returns the predefined roles for the system func GetPredefinedRoles() map[string]*RoleDefinition { return map[string]*RoleDefinition{ "project_manager": { Name: "project_manager", Description: "Project coordination and management", Capabilities: []string{"coordination", "planning", "oversight"}, AccessLevel: "high", AuthorityLevel: AuthorityAdmin, CanDecrypt: []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"}, }, "backend_developer": { Name: "backend_developer", Description: "Backend development and API work", Capabilities: []string{"backend", "api", "database"}, AccessLevel: "medium", AuthorityLevel: AuthorityFull, CanDecrypt: []string{"backend_developer"}, }, "frontend_developer": { Name: "frontend_developer", Description: "Frontend UI development", Capabilities: []string{"frontend", "ui", "components"}, AccessLevel: "medium", AuthorityLevel: AuthorityFull, CanDecrypt: []string{"frontend_developer"}, }, "devops_engineer": { Name: "devops_engineer", Description: "Infrastructure and deployment", Capabilities: []string{"infrastructure", "deployment", "monitoring"}, AccessLevel: "high", AuthorityLevel: AuthorityFull, CanDecrypt: []string{"devops_engineer", "backend_developer"}, }, "security_engineer": { Name: "security_engineer", Description: "Security oversight and hardening", Capabilities: []string{"security", "audit", "compliance"}, AccessLevel: "high", AuthorityLevel: AuthorityAdmin, CanDecrypt: []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"}, }, } } // CanDecryptRole checks if the current agent can decrypt content for a target role func (c *Config) CanDecryptRole(targetRole string) (bool, error) { roles := GetPredefinedRoles() currentRole, exists := roles[c.Agent.Role] if !exists { return false, nil } targetRoleDef, exists := roles[targetRole] if !exists { return false, nil } // Simple access level check currentLevel := getAccessLevelValue(currentRole.AccessLevel) targetLevel := getAccessLevelValue(targetRoleDef.AccessLevel) return currentLevel >= targetLevel, nil } func getAccessLevelValue(level string) int { switch level { case "low": return 1 case "medium": return 2 case "high": return 3 default: return 0 } }