180 lines
6.4 KiB
Go
180 lines
6.4 KiB
Go
package config
|
|
|
|
import "time"
|
|
|
|
// AuthorityLevel represents the privilege tier associated with a role.
|
|
type AuthorityLevel string
|
|
|
|
// Authority levels for roles (aligned with CHORUS hierarchy).
|
|
const (
|
|
AuthorityMaster AuthorityLevel = "master"
|
|
AuthorityAdmin AuthorityLevel = "admin"
|
|
AuthorityDecision AuthorityLevel = "decision"
|
|
AuthorityCoordination AuthorityLevel = "coordination"
|
|
AuthorityFull AuthorityLevel = "full"
|
|
AuthoritySuggestion AuthorityLevel = "suggestion"
|
|
AuthorityReadOnly AuthorityLevel = "readonly"
|
|
)
|
|
|
|
// SecurityConfig defines security-related configuration
|
|
type SecurityConfig struct {
|
|
KeyRotationDays int `yaml:"key_rotation_days"`
|
|
AuditLogging bool `yaml:"audit_logging"`
|
|
AuditPath string `yaml:"audit_path"`
|
|
ElectionConfig ElectionConfig `yaml:"election"`
|
|
}
|
|
|
|
// ElectionConfig defines election timing and behavior settings
|
|
type ElectionConfig struct {
|
|
DiscoveryTimeout time.Duration `yaml:"discovery_timeout"`
|
|
HeartbeatTimeout time.Duration `yaml:"heartbeat_timeout"`
|
|
ElectionTimeout time.Duration `yaml:"election_timeout"`
|
|
DiscoveryBackoff time.Duration `yaml:"discovery_backoff"`
|
|
LeadershipScoring *LeadershipScoring `yaml:"leadership_scoring,omitempty"`
|
|
}
|
|
|
|
// LeadershipScoring defines weights for election scoring
|
|
type LeadershipScoring struct {
|
|
UptimeWeight float64 `yaml:"uptime_weight"`
|
|
CapabilityWeight float64 `yaml:"capability_weight"`
|
|
ExperienceWeight float64 `yaml:"experience_weight"`
|
|
LoadWeight float64 `yaml:"load_weight"`
|
|
}
|
|
|
|
// AgeKeyPair represents an Age encryption key pair
|
|
type AgeKeyPair struct {
|
|
PublicKey string `yaml:"public_key"`
|
|
PrivateKey string `yaml:"private_key"`
|
|
}
|
|
|
|
// RoleDefinition represents a role configuration
|
|
type RoleDefinition struct {
|
|
Name string `yaml:"name"`
|
|
Description string `yaml:"description"`
|
|
Capabilities []string `yaml:"capabilities"`
|
|
AccessLevel string `yaml:"access_level"`
|
|
AuthorityLevel AuthorityLevel `yaml:"authority_level"`
|
|
Keys *AgeKeyPair `yaml:"keys,omitempty"`
|
|
AgeKeys *AgeKeyPair `yaml:"age_keys,omitempty"` // Legacy field name
|
|
CanDecrypt []string `yaml:"can_decrypt,omitempty"` // Roles this role can decrypt
|
|
}
|
|
|
|
// GetPredefinedRoles returns the predefined roles for the system
|
|
func GetPredefinedRoles() map[string]*RoleDefinition {
|
|
return map[string]*RoleDefinition{
|
|
"project_manager": {
|
|
Name: "project_manager",
|
|
Description: "Project coordination and management",
|
|
Capabilities: []string{"coordination", "planning", "oversight"},
|
|
AccessLevel: "high",
|
|
AuthorityLevel: AuthorityMaster,
|
|
CanDecrypt: []string{"project_manager", "backend_developer", "frontend_developer", "devops_engineer", "security_engineer"},
|
|
},
|
|
"backend_developer": {
|
|
Name: "backend_developer",
|
|
Description: "Backend development and API work",
|
|
Capabilities: []string{"backend", "api", "database"},
|
|
AccessLevel: "medium",
|
|
AuthorityLevel: AuthorityDecision,
|
|
CanDecrypt: []string{"backend_developer"},
|
|
},
|
|
"frontend_developer": {
|
|
Name: "frontend_developer",
|
|
Description: "Frontend UI development",
|
|
Capabilities: []string{"frontend", "ui", "components"},
|
|
AccessLevel: "medium",
|
|
AuthorityLevel: AuthorityCoordination,
|
|
CanDecrypt: []string{"frontend_developer"},
|
|
},
|
|
"devops_engineer": {
|
|
Name: "devops_engineer",
|
|
Description: "Infrastructure and deployment",
|
|
Capabilities: []string{"infrastructure", "deployment", "monitoring"},
|
|
AccessLevel: "high",
|
|
AuthorityLevel: AuthorityDecision,
|
|
CanDecrypt: []string{"devops_engineer", "backend_developer"},
|
|
},
|
|
"security_engineer": {
|
|
Name: "security_engineer",
|
|
Description: "Security oversight and hardening",
|
|
Capabilities: []string{"security", "audit", "compliance"},
|
|
AccessLevel: "high",
|
|
AuthorityLevel: AuthorityMaster,
|
|
CanDecrypt: []string{"security_engineer", "project_manager", "backend_developer", "frontend_developer", "devops_engineer"},
|
|
},
|
|
"security_expert": {
|
|
Name: "security_expert",
|
|
Description: "Advanced security analysis and policy work",
|
|
Capabilities: []string{"security", "policy", "response"},
|
|
AccessLevel: "high",
|
|
AuthorityLevel: AuthorityMaster,
|
|
CanDecrypt: []string{"security_expert", "security_engineer", "project_manager"},
|
|
},
|
|
"senior_software_architect": {
|
|
Name: "senior_software_architect",
|
|
Description: "Architecture governance and system design",
|
|
Capabilities: []string{"architecture", "design", "coordination"},
|
|
AccessLevel: "high",
|
|
AuthorityLevel: AuthorityDecision,
|
|
CanDecrypt: []string{"senior_software_architect", "project_manager", "backend_developer", "frontend_developer"},
|
|
},
|
|
"qa_engineer": {
|
|
Name: "qa_engineer",
|
|
Description: "Quality assurance and testing",
|
|
Capabilities: []string{"testing", "validation"},
|
|
AccessLevel: "medium",
|
|
AuthorityLevel: AuthorityCoordination,
|
|
CanDecrypt: []string{"qa_engineer", "backend_developer", "frontend_developer"},
|
|
},
|
|
"readonly_user": {
|
|
Name: "readonly_user",
|
|
Description: "Read-only observer with audit access",
|
|
Capabilities: []string{"observation"},
|
|
AccessLevel: "low",
|
|
AuthorityLevel: AuthorityReadOnly,
|
|
CanDecrypt: []string{"readonly_user"},
|
|
},
|
|
"suggestion_only_role": {
|
|
Name: "suggestion_only_role",
|
|
Description: "Can propose suggestions but not execute",
|
|
Capabilities: []string{"recommendation"},
|
|
AccessLevel: "low",
|
|
AuthorityLevel: AuthoritySuggestion,
|
|
CanDecrypt: []string{"suggestion_only_role"},
|
|
},
|
|
}
|
|
}
|
|
|
|
// CanDecryptRole checks if the current agent can decrypt content for a target role
|
|
func (c *Config) CanDecryptRole(targetRole string) (bool, error) {
|
|
roles := GetPredefinedRoles()
|
|
currentRole, exists := roles[c.Agent.Role]
|
|
if !exists {
|
|
return false, nil
|
|
}
|
|
|
|
targetRoleDef, exists := roles[targetRole]
|
|
if !exists {
|
|
return false, nil
|
|
}
|
|
|
|
// Simple access level check
|
|
currentLevel := getAccessLevelValue(currentRole.AccessLevel)
|
|
targetLevel := getAccessLevelValue(targetRoleDef.AccessLevel)
|
|
|
|
return currentLevel >= targetLevel, nil
|
|
}
|
|
|
|
func getAccessLevelValue(level string) int {
|
|
switch level {
|
|
case "low":
|
|
return 1
|
|
case "medium":
|
|
return 2
|
|
case "high":
|
|
return 3
|
|
default:
|
|
return 0
|
|
}
|
|
}
|