package intelligence import ( "context" "fmt" "sort" "strings" "sync" "time" "github.com/anthonyrawlins/bzzz/pkg/crypto" slurpContext "github.com/anthonyrawlins/bzzz/pkg/slurp/context" ) // RoleAwareProcessor provides role-based context processing and insight generation type RoleAwareProcessor struct { mu sync.RWMutex config *EngineConfig roleManager *RoleManager securityFilter *SecurityFilter insightGenerator *InsightGenerator accessController *AccessController auditLogger *AuditLogger permissions *PermissionMatrix roleProfiles map[string]*RoleProfile } // RoleManager manages role definitions and hierarchies type RoleManager struct { roles map[string]*Role hierarchies map[string]*RoleHierarchy capabilities map[string]*RoleCapabilities restrictions map[string]*RoleRestrictions } // Role represents an AI agent role with specific permissions and capabilities type Role struct { ID string `json:"id"` Name string `json:"name"` Description string `json:"description"` SecurityLevel int `json:"security_level"` Capabilities []string `json:"capabilities"` Restrictions []string `json:"restrictions"` AccessPatterns []string `json:"access_patterns"` ContextFilters []string `json:"context_filters"` Priority int `json:"priority"` ParentRoles []string `json:"parent_roles"` ChildRoles []string `json:"child_roles"` Metadata map[string]interface{} `json:"metadata"` CreatedAt time.Time `json:"created_at"` UpdatedAt time.Time `json:"updated_at"` IsActive bool `json:"is_active"` } // RoleHierarchy defines role inheritance and relationships type RoleHierarchy struct { ParentRole string `json:"parent_role"` ChildRoles []string `json:"child_roles"` InheritLevel int `json:"inherit_level"` OverrideRules []string `json:"override_rules"` } // RoleCapabilities defines what a role can do type RoleCapabilities struct { RoleID string `json:"role_id"` ReadAccess []string `json:"read_access"` WriteAccess []string `json:"write_access"` ExecuteAccess []string `json:"execute_access"` AnalysisTypes []string `json:"analysis_types"` InsightLevels []string `json:"insight_levels"` SecurityScopes []string `json:"security_scopes"` DataClassifications []string `json:"data_classifications"` } // RoleRestrictions defines what a role cannot do or access type RoleRestrictions struct { RoleID string `json:"role_id"` ForbiddenPaths []string `json:"forbidden_paths"` ForbiddenTypes []string `json:"forbidden_types"` ForbiddenKeywords []string `json:"forbidden_keywords"` TimeRestrictions []string `json:"time_restrictions"` RateLimit *RateLimit `json:"rate_limit"` MaxContextSize int `json:"max_context_size"` MaxInsights int `json:"max_insights"` } // RateLimit defines rate limiting for role operations type RateLimit struct { RequestsPerMinute int `json:"requests_per_minute"` RequestsPerHour int `json:"requests_per_hour"` BurstSize int `json:"burst_size"` WindowSize time.Duration `json:"window_size"` } // SecurityFilter filters content based on role security levels type SecurityFilter struct { classificationLevels map[string]int contentFilters map[string]*ContentFilter accessMatrix *AccessMatrix } // ContentFilter defines content filtering rules type ContentFilter struct { FilterID string `json:"filter_id"` FilterType string `json:"filter_type"` Patterns []string `json:"patterns"` ReplacementText string `json:"replacement_text"` SecurityLevel int `json:"security_level"` ApplyToRoles []string `json:"apply_to_roles"` } // AccessMatrix defines access control rules type AccessMatrix struct { Rules map[string]*AccessRule `json:"rules"` DefaultDeny bool `json:"default_deny"` LastUpdated time.Time `json:"last_updated"` } // AccessRule defines a specific access control rule type AccessRule struct { RuleID string `json:"rule_id"` Roles []string `json:"roles"` ResourcePattern string `json:"resource_pattern"` Actions []string `json:"actions"` Conditions []string `json:"conditions"` Effect string `json:"effect"` // allow, deny Priority int `json:"priority"` } // InsightGenerator generates role-specific insights type InsightGenerator struct { generators map[string]RoleInsightGenerator templates map[string]*InsightTemplate filters map[string]*InsightFilter } // RoleInsightGenerator interface for role-specific insight generation type RoleInsightGenerator interface { GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) GetSupportedRoles() []string GetInsightTypes() []string ValidateContext(node *slurpContext.ContextNode, role *Role) error } // InsightTemplate defines templates for generating insights type InsightTemplate struct { TemplateID string `json:"template_id"` Name string `json:"name"` Template string `json:"template"` Variables []string `json:"variables"` Roles []string `json:"roles"` Category string `json:"category"` Priority int `json:"priority"` Metadata map[string]interface{} `json:"metadata"` } // InsightFilter filters insights based on role permissions type InsightFilter struct { FilterID string `json:"filter_id"` ApplicableRoles []string `json:"applicable_roles"` FilterRules []string `json:"filter_rules"` SecurityLevel int `json:"security_level"` } // AccessController manages access control for role-based operations type AccessController struct { permissions *PermissionMatrix sessions map[string]*RoleSession mu sync.RWMutex } // PermissionMatrix defines comprehensive permissions for roles type PermissionMatrix struct { RolePermissions map[string]*RolePermissions `json:"role_permissions"` ResourceACL map[string]*ResourceACL `json:"resource_acl"` DefaultPolicy string `json:"default_policy"` LastUpdated time.Time `json:"last_updated"` } // RolePermissions defines permissions for a specific role type RolePermissions struct { RoleID string `json:"role_id"` ContextAccess *ContextAccessRights `json:"context_access"` AnalysisAccess *AnalysisAccessRights `json:"analysis_access"` InsightAccess *InsightAccessRights `json:"insight_access"` SystemAccess *SystemAccessRights `json:"system_access"` CustomAccess map[string]interface{} `json:"custom_access"` } // ContextAccessRights defines context-related access rights type ContextAccessRights struct { ReadLevel int `json:"read_level"` WriteLevel int `json:"write_level"` AllowedTypes []string `json:"allowed_types"` ForbiddenTypes []string `json:"forbidden_types"` PathRestrictions []string `json:"path_restrictions"` SizeLimit int `json:"size_limit"` } // AnalysisAccessRights defines analysis-related access rights type AnalysisAccessRights struct { AllowedAnalysisTypes []string `json:"allowed_analysis_types"` MaxComplexity int `json:"max_complexity"` TimeoutLimit time.Duration `json:"timeout_limit"` ResourceLimit int `json:"resource_limit"` } // InsightAccessRights defines insight-related access rights type InsightAccessRights struct { GenerationLevel int `json:"generation_level"` AccessLevel int `json:"access_level"` CategoryFilters []string `json:"category_filters"` ConfidenceThreshold float64 `json:"confidence_threshold"` MaxInsights int `json:"max_insights"` } // SystemAccessRights defines system-level access rights type SystemAccessRights struct { AdminAccess bool `json:"admin_access"` ConfigAccess bool `json:"config_access"` MetricsAccess bool `json:"metrics_access"` AuditAccess bool `json:"audit_access"` AllowedCommands []string `json:"allowed_commands"` } // ResourceACL defines access control for specific resources type ResourceACL struct { ResourceID string `json:"resource_id"` ResourceType string `json:"resource_type"` RoleAccess map[string]string `json:"role_access"` // role_id -> access_level DefaultAccess string `json:"default_access"` RequiredClaims []string `json:"required_claims"` } // RoleSession represents an active role session type RoleSession struct { SessionID string `json:"session_id"` RoleID string `json:"role_id"` UserID string `json:"user_id"` CreatedAt time.Time `json:"created_at"` LastAccess time.Time `json:"last_access"` ExpiresAt time.Time `json:"expires_at"` Permissions *RolePermissions `json:"permissions"` Context map[string]interface{} `json:"context"` IsActive bool `json:"is_active"` } // AuditLogger logs role-based access and operations type AuditLogger struct { mu sync.Mutex entries []*AuditEntry config *AuditConfig } // AuditEntry represents an audit log entry type AuditEntry struct { ID string `json:"id"` Timestamp time.Time `json:"timestamp"` RoleID string `json:"role_id"` Action string `json:"action"` Resource string `json:"resource"` Result string `json:"result"` // success, denied, error Details string `json:"details"` Context map[string]interface{} `json:"context"` SecurityLevel int `json:"security_level"` } // AuditConfig defines audit logging configuration type AuditConfig struct { LogLevel string `json:"log_level"` MaxEntries int `json:"max_entries"` RetentionPeriod time.Duration `json:"retention_period"` LogToFile bool `json:"log_to_file"` LogFile string `json:"log_file"` EnableMetrics bool `json:"enable_metrics"` } // RoleProfile contains comprehensive role configuration type RoleProfile struct { Role *Role `json:"role"` Capabilities *RoleCapabilities `json:"capabilities"` Restrictions *RoleRestrictions `json:"restrictions"` Permissions *RolePermissions `json:"permissions"` InsightConfig *RoleInsightConfig `json:"insight_config"` SecurityConfig *RoleSecurityConfig `json:"security_config"` } // RoleInsightConfig defines insight generation configuration for a role type RoleInsightConfig struct { EnabledGenerators []string `json:"enabled_generators"` MaxInsights int `json:"max_insights"` ConfidenceThreshold float64 `json:"confidence_threshold"` CategoryWeights map[string]float64 `json:"category_weights"` CustomFilters []string `json:"custom_filters"` } // RoleSecurityConfig defines security configuration for a role type RoleSecurityConfig struct { EncryptionRequired bool `json:"encryption_required"` AccessLogging bool `json:"access_logging"` RateLimit *RateLimit `json:"rate_limit"` IPWhitelist []string `json:"ip_whitelist"` RequiredClaims []string `json:"required_claims"` } // RoleSpecificInsight represents an insight tailored to a specific role type RoleSpecificInsight struct { ID string `json:"id"` RoleID string `json:"role_id"` Category string `json:"category"` Title string `json:"title"` Content string `json:"content"` Confidence float64 `json:"confidence"` Priority int `json:"priority"` SecurityLevel int `json:"security_level"` Tags []string `json:"tags"` ActionItems []string `json:"action_items"` References []string `json:"references"` Metadata map[string]interface{} `json:"metadata"` GeneratedAt time.Time `json:"generated_at"` ExpiresAt *time.Time `json:"expires_at,omitempty"` } // NewRoleAwareProcessor creates a new role-aware processor func NewRoleAwareProcessor(config *EngineConfig) *RoleAwareProcessor { processor := &RoleAwareProcessor{ config: config, roleManager: NewRoleManager(), securityFilter: NewSecurityFilter(), insightGenerator: NewInsightGenerator(), accessController: NewAccessController(), auditLogger: NewAuditLogger(), permissions: NewPermissionMatrix(), roleProfiles: make(map[string]*RoleProfile), } // Initialize default roles processor.initializeDefaultRoles() return processor } // NewRoleManager creates a role manager with default roles func NewRoleManager() *RoleManager { rm := &RoleManager{ roles: make(map[string]*Role), hierarchies: make(map[string]*RoleHierarchy), capabilities: make(map[string]*RoleCapabilities), restrictions: make(map[string]*RoleRestrictions), } // Initialize with default roles rm.loadDefaultRoles() return rm } // ProcessContextForRole processes context specifically for a given role func (rap *RoleAwareProcessor) ProcessContextForRole(ctx context.Context, node *slurpContext.ContextNode, roleID string) (*slurpContext.ContextNode, error) { // Validate role exists and is active role, err := rap.roleManager.getRole(roleID) if err != nil { return nil, fmt.Errorf("invalid role: %w", err) } // Check access permissions if !rap.accessController.hasAccess(roleID, "context:read", node.Path) { rap.auditLogger.logAccess(roleID, "context:read", node.Path, "denied", "insufficient permissions") return nil, fmt.Errorf("access denied for role %s", roleID) } // Apply security filters filteredNode, err := rap.securityFilter.filterForRole(node, role) if err != nil { rap.auditLogger.logAccess(roleID, "context:filter", node.Path, "error", err.Error()) return nil, fmt.Errorf("failed to apply security filters: %w", err) } // Generate role-specific insights insights, err := rap.insightGenerator.generateForRole(ctx, filteredNode, role) if err != nil { // Log error but continue - insights are not critical rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "error", err.Error()) } // Apply insights to node if len(insights) > 0 { filteredNode.RoleSpecificInsights = insights filteredNode.ProcessedForRole = roleID } // Log successful processing rap.auditLogger.logAccess(roleID, "context:process", node.Path, "success", fmt.Sprintf("processed with %d insights", len(insights))) return filteredNode, nil } // GenerateRoleSpecificInsights generates insights tailored to a specific role func (rap *RoleAwareProcessor) GenerateRoleSpecificInsights(ctx context.Context, node *slurpContext.ContextNode, roleID string) ([]*RoleSpecificInsight, error) { role, err := rap.roleManager.getRole(roleID) if err != nil { return nil, fmt.Errorf("invalid role: %w", err) } // Check insight generation permissions if !rap.accessController.hasAccess(roleID, "insight:generate", node.Path) { rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "denied", "insufficient permissions") return nil, fmt.Errorf("insight generation denied for role %s", roleID) } insights, err := rap.insightGenerator.generateForRole(ctx, node, role) if err != nil { rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "error", err.Error()) return nil, err } rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "success", fmt.Sprintf("generated %d insights", len(insights))) return insights, nil } // FilterContextForRole filters context content based on role restrictions func (rap *RoleAwareProcessor) FilterContextForRole(node *slurpContext.ContextNode, roleID string) (*slurpContext.ContextNode, error) { role, err := rap.roleManager.getRole(roleID) if err != nil { return nil, fmt.Errorf("invalid role: %w", err) } return rap.securityFilter.filterForRole(node, role) } // ValidateRoleAccess validates if a role can access a specific resource func (rap *RoleAwareProcessor) ValidateRoleAccess(roleID, action, resource string) error { if !rap.accessController.hasAccess(roleID, action, resource) { rap.auditLogger.logAccess(roleID, action, resource, "denied", "access validation failed") return fmt.Errorf("access denied: role %s cannot %s resource %s", roleID, action, resource) } return nil } // GetRoleCapabilities returns the capabilities for a specific role func (rap *RoleAwareProcessor) GetRoleCapabilities(roleID string) (*RoleCapabilities, error) { return rap.roleManager.getRoleCapabilities(roleID) } // Initialize default roles func (rap *RoleAwareProcessor) initializeDefaultRoles() { defaultRoles := []*Role{ { ID: "architect", Name: "System Architect", Description: "High-level system design and architecture decisions", SecurityLevel: 8, Capabilities: []string{"architecture_design", "high_level_analysis", "strategic_planning"}, Restrictions: []string{"no_implementation_details", "no_low_level_code"}, AccessPatterns: []string{"architecture/**", "design/**", "docs/**"}, Priority: 1, IsActive: true, CreatedAt: time.Now(), }, { ID: "developer", Name: "Software Developer", Description: "Code implementation and development tasks", SecurityLevel: 6, Capabilities: []string{"code_analysis", "implementation", "debugging", "testing"}, Restrictions: []string{"no_architecture_changes", "no_security_config"}, AccessPatterns: []string{"src/**", "lib/**", "test/**"}, Priority: 2, IsActive: true, CreatedAt: time.Now(), }, { ID: "security_analyst", Name: "Security Analyst", Description: "Security analysis and vulnerability assessment", SecurityLevel: 9, Capabilities: []string{"security_analysis", "vulnerability_assessment", "compliance_check"}, Restrictions: []string{"no_code_modification"}, AccessPatterns: []string{"**/*"}, Priority: 1, IsActive: true, CreatedAt: time.Now(), }, { ID: "devops_engineer", Name: "DevOps Engineer", Description: "Infrastructure and deployment operations", SecurityLevel: 7, Capabilities: []string{"infrastructure_analysis", "deployment", "monitoring", "ci_cd"}, Restrictions: []string{"no_business_logic"}, AccessPatterns: []string{"infra/**", "deploy/**", "config/**", "docker/**"}, Priority: 2, IsActive: true, CreatedAt: time.Now(), }, { ID: "qa_engineer", Name: "Quality Assurance Engineer", Description: "Quality assurance and testing", SecurityLevel: 5, Capabilities: []string{"quality_analysis", "testing", "test_planning"}, Restrictions: []string{"no_production_access", "no_code_modification"}, AccessPatterns: []string{"test/**", "spec/**", "qa/**"}, Priority: 3, IsActive: true, CreatedAt: time.Now(), }, } for _, role := range defaultRoles { rap.roleProfiles[role.ID] = &RoleProfile{ Role: role, Capabilities: rap.createDefaultCapabilities(role), Restrictions: rap.createDefaultRestrictions(role), Permissions: rap.createDefaultPermissions(role), InsightConfig: rap.createDefaultInsightConfig(role), SecurityConfig: rap.createDefaultSecurityConfig(role), } rap.roleManager.roles[role.ID] = role } } // Helper methods for creating default configurations func (rap *RoleAwareProcessor) createDefaultCapabilities(role *Role) *RoleCapabilities { baseCapabilities := &RoleCapabilities{ RoleID: role.ID, ReadAccess: role.AccessPatterns, AnalysisTypes: role.Capabilities, SecurityScopes: []string{"public"}, DataClassifications: []string{"internal"}, } // Role-specific customizations switch role.ID { case "architect": baseCapabilities.WriteAccess = []string{"architecture/**", "design/**"} baseCapabilities.ExecuteAccess = []string{"design_tools", "modeling"} baseCapabilities.InsightLevels = []string{"strategic", "architectural", "high_level"} baseCapabilities.SecurityScopes = []string{"public", "internal", "confidential"} case "developer": baseCapabilities.WriteAccess = []string{"src/**", "test/**"} baseCapabilities.ExecuteAccess = []string{"compile", "test", "debug"} baseCapabilities.InsightLevels = []string{"implementation", "code_quality", "performance"} case "security_analyst": baseCapabilities.ReadAccess = []string{"**/*"} baseCapabilities.InsightLevels = []string{"security", "vulnerability", "compliance"} baseCapabilities.SecurityScopes = []string{"public", "internal", "confidential", "secret"} baseCapabilities.DataClassifications = []string{"public", "internal", "confidential", "restricted"} case "devops_engineer": baseCapabilities.WriteAccess = []string{"infra/**", "deploy/**", "config/**"} baseCapabilities.ExecuteAccess = []string{"deploy", "configure", "monitor"} baseCapabilities.InsightLevels = []string{"infrastructure", "deployment", "monitoring"} case "qa_engineer": baseCapabilities.WriteAccess = []string{"test/**", "qa/**"} baseCapabilities.ExecuteAccess = []string{"test", "validate"} baseCapabilities.InsightLevels = []string{"quality", "testing", "validation"} } return baseCapabilities } func (rap *RoleAwareProcessor) createDefaultRestrictions(role *Role) *RoleRestrictions { baseRestrictions := &RoleRestrictions{ RoleID: role.ID, ForbiddenPaths: []string{"secrets/**", "private/**"}, TimeRestrictions: []string{}, RateLimit: &RateLimit{ RequestsPerMinute: 60, RequestsPerHour: 1000, BurstSize: 10, WindowSize: time.Minute, }, MaxContextSize: 10000, MaxInsights: 50, } // Role-specific restrictions switch role.ID { case "architect": // Architects have fewer restrictions baseRestrictions.MaxContextSize = 50000 baseRestrictions.MaxInsights = 100 case "developer": baseRestrictions.ForbiddenPaths = append(baseRestrictions.ForbiddenPaths, "architecture/**", "security/**") baseRestrictions.ForbiddenTypes = []string{"security_config", "deployment_config"} case "security_analyst": // Security analysts have minimal path restrictions but keyword restrictions baseRestrictions.ForbiddenPaths = []string{"temp/**"} baseRestrictions.ForbiddenKeywords = []string{"password", "secret", "key"} baseRestrictions.MaxContextSize = 100000 case "devops_engineer": baseRestrictions.ForbiddenPaths = append(baseRestrictions.ForbiddenPaths, "src/**") baseRestrictions.ForbiddenTypes = []string{"business_logic", "user_data"} case "qa_engineer": baseRestrictions.ForbiddenPaths = append(baseRestrictions.ForbiddenPaths, "src/**", "infra/**") baseRestrictions.ForbiddenTypes = []string{"production_config", "security_config"} baseRestrictions.RateLimit.RequestsPerHour = 500 // Lower limit for QA } return baseRestrictions } func (rap *RoleAwareProcessor) createDefaultPermissions(role *Role) *RolePermissions { return &RolePermissions{ RoleID: role.ID, ContextAccess: &ContextAccessRights{ ReadLevel: role.SecurityLevel, WriteLevel: role.SecurityLevel - 2, AllowedTypes: []string{"code", "documentation", "configuration"}, SizeLimit: 1000000, }, AnalysisAccess: &AnalysisAccessRights{ AllowedAnalysisTypes: role.Capabilities, MaxComplexity: 8, TimeoutLimit: 5 * time.Minute, ResourceLimit: 100, }, InsightAccess: &InsightAccessRights{ GenerationLevel: role.SecurityLevel, AccessLevel: role.SecurityLevel, ConfidenceThreshold: 0.5, MaxInsights: 50, }, SystemAccess: &SystemAccessRights{ AdminAccess: role.SecurityLevel >= 8, ConfigAccess: role.SecurityLevel >= 7, MetricsAccess: true, AuditAccess: role.SecurityLevel >= 6, }, } } func (rap *RoleAwareProcessor) createDefaultInsightConfig(role *Role) *RoleInsightConfig { config := &RoleInsightConfig{ MaxInsights: 50, ConfidenceThreshold: 0.5, CategoryWeights: make(map[string]float64), CustomFilters: []string{}, } // Role-specific insight configurations switch role.ID { case "architect": config.EnabledGenerators = []string{"architecture_insights", "design_patterns", "system_analysis"} config.CategoryWeights = map[string]float64{ "architecture": 1.0, "design": 0.9, "performance": 0.7, "scalability": 0.9, } config.MaxInsights = 100 case "developer": config.EnabledGenerators = []string{"code_insights", "implementation_suggestions", "bug_detection"} config.CategoryWeights = map[string]float64{ "code_quality": 1.0, "implementation": 0.9, "bugs": 0.8, "performance": 0.6, } case "security_analyst": config.EnabledGenerators = []string{"security_insights", "vulnerability_analysis", "compliance_check"} config.CategoryWeights = map[string]float64{ "security": 1.0, "vulnerabilities": 1.0, "compliance": 0.9, "privacy": 0.8, } config.MaxInsights = 200 case "devops_engineer": config.EnabledGenerators = []string{"infrastructure_insights", "deployment_analysis", "monitoring_suggestions"} config.CategoryWeights = map[string]float64{ "infrastructure": 1.0, "deployment": 0.9, "monitoring": 0.8, "automation": 0.7, } case "qa_engineer": config.EnabledGenerators = []string{"quality_insights", "test_suggestions", "validation_analysis"} config.CategoryWeights = map[string]float64{ "quality": 1.0, "testing": 0.9, "validation": 0.8, "reliability": 0.7, } } return config } func (rap *RoleAwareProcessor) createDefaultSecurityConfig(role *Role) *RoleSecurityConfig { return &RoleSecurityConfig{ EncryptionRequired: role.SecurityLevel >= 8, AccessLogging: true, RateLimit: &RateLimit{ RequestsPerMinute: 60, RequestsPerHour: 1000, BurstSize: 10, WindowSize: time.Minute, }, IPWhitelist: []string{}, RequiredClaims: []string{"role_verified", "session_valid"}, } } // Role manager methods func (rm *RoleManager) loadDefaultRoles() { // Default roles are loaded in initializeDefaultRoles } func (rm *RoleManager) getRole(roleID string) (*Role, error) { role, exists := rm.roles[roleID] if !exists || !role.IsActive { return nil, fmt.Errorf("role not found or inactive: %s", roleID) } return role, nil } func (rm *RoleManager) getRoleCapabilities(roleID string) (*RoleCapabilities, error) { capabilities, exists := rm.capabilities[roleID] if !exists { return nil, fmt.Errorf("capabilities not found for role: %s", roleID) } return capabilities, nil } // Security filter methods func NewSecurityFilter() *SecurityFilter { return &SecurityFilter{ classificationLevels: map[string]int{ "public": 1, "internal": 3, "confidential": 6, "secret": 8, "top_secret": 10, }, contentFilters: make(map[string]*ContentFilter), accessMatrix: &AccessMatrix{ Rules: make(map[string]*AccessRule), DefaultDeny: true, LastUpdated: time.Now(), }, } } func (sf *SecurityFilter) filterForRole(node *slurpContext.ContextNode, role *Role) (*slurpContext.ContextNode, error) { filtered := node.Clone() // Apply content filtering based on role security level filtered.Summary = sf.filterContent(node.Summary, role) filtered.Purpose = sf.filterContent(node.Purpose, role) // Filter insights based on role access level filteredInsights := []string{} for _, insight := range node.Insights { if sf.canAccessInsight(insight, role) { filteredInsights = append(filteredInsights, sf.filterContent(insight, role)) } } filtered.Insights = filteredInsights // Filter technologies based on role restrictions filtered.Technologies = sf.filterTechnologies(node.Technologies, role) // Filter tags filtered.Tags = sf.filterTags(node.Tags, role) // Add security metadata if filtered.Metadata == nil { filtered.Metadata = make(map[string]interface{}) } filtered.Metadata["filtered_for_role"] = role.ID filtered.Metadata["security_level_applied"] = role.SecurityLevel return filtered, nil } func (sf *SecurityFilter) filterContent(content string, role *Role) string { // Simple content filtering - in production would be more sophisticated filteredContent := content // Apply role-specific content filters if role.SecurityLevel < 8 { // Remove sensitive patterns for lower security levels sensitivePatterns := []string{ "password", "secret", "key", "token", "credential", "private", "confidential", "restricted", } for _, pattern := range sensitivePatterns { if strings.Contains(strings.ToLower(filteredContent), pattern) { filteredContent = strings.ReplaceAll(filteredContent, pattern, "[REDACTED]") } } } return filteredContent } func (sf *SecurityFilter) canAccessInsight(insight string, role *Role) bool { // Check if role can access this type of insight lowerInsight := strings.ToLower(insight) // Security analysts can see all insights if role.ID == "security_analyst" { return true } // Architects can see high-level insights if role.ID == "architect" { restrictedPatterns := []string{"implementation detail", "low-level", "code-specific"} for _, pattern := range restrictedPatterns { if strings.Contains(lowerInsight, pattern) { return false } } return true } // Developers can see implementation insights but not architectural decisions if role.ID == "developer" { restrictedPatterns := []string{"strategic", "architectural decision", "business"} for _, pattern := range restrictedPatterns { if strings.Contains(lowerInsight, pattern) { return false } } return true } return true // Default allow for other roles } func (sf *SecurityFilter) filterTechnologies(technologies []string, role *Role) []string { filtered := []string{} for _, tech := range technologies { if sf.canAccessTechnology(tech, role) { filtered = append(filtered, tech) } } return filtered } func (sf *SecurityFilter) canAccessTechnology(technology string, role *Role) bool { // Role-specific technology access rules lowerTech := strings.ToLower(technology) switch role.ID { case "qa_engineer": // QA engineers shouldn't see infrastructure technologies infraTechs := []string{"kubernetes", "docker", "terraform", "ansible"} for _, infraTech := range infraTechs { if strings.Contains(lowerTech, infraTech) { return false } } case "developer": // Developers shouldn't see deployment/infrastructure details restrictedTechs := []string{"production", "deployment", "monitoring"} for _, restricted := range restrictedTechs { if strings.Contains(lowerTech, restricted) { return false } } } return true } func (sf *SecurityFilter) filterTags(tags []string, role *Role) []string { filtered := []string{} for _, tag := range tags { if sf.canAccessTag(tag, role) { filtered = append(filtered, tag) } } return filtered } func (sf *SecurityFilter) canAccessTag(tag string, role *Role) bool { // Simple tag filtering based on role lowerTag := strings.ToLower(tag) // Security-related tags only for security analysts and architects securityTags := []string{"security", "vulnerability", "encryption", "authentication"} for _, secTag := range securityTags { if strings.Contains(lowerTag, secTag) && role.SecurityLevel < 7 { return false } } return true } // Insight generator methods func NewInsightGenerator() *InsightGenerator { ig := &InsightGenerator{ generators: make(map[string]RoleInsightGenerator), templates: make(map[string]*InsightTemplate), filters: make(map[string]*InsightFilter), } // Initialize role-specific generators ig.initializeGenerators() return ig } func (ig *InsightGenerator) initializeGenerators() { // Initialize generators for different roles ig.generators["architect"] = NewArchitectInsightGenerator() ig.generators["developer"] = NewDeveloperInsightGenerator() ig.generators["security_analyst"] = NewSecurityInsightGenerator() ig.generators["devops_engineer"] = NewDevOpsInsightGenerator() ig.generators["qa_engineer"] = NewQAInsightGenerator() } func (ig *InsightGenerator) generateForRole(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) { generator, exists := ig.generators[role.ID] if !exists { return nil, fmt.Errorf("no insight generator found for role: %s", role.ID) } // Validate context for this role if err := generator.ValidateContext(node, role); err != nil { return nil, fmt.Errorf("context validation failed: %w", err) } // Generate insights insights, err := generator.GenerateInsights(ctx, node, role) if err != nil { return nil, fmt.Errorf("insight generation failed: %w", err) } // Apply role-specific filters filteredInsights := ig.applyRoleFilters(insights, role) // Sort by priority and confidence sort.Slice(filteredInsights, func(i, j int) bool { if filteredInsights[i].Priority == filteredInsights[j].Priority { return filteredInsights[i].Confidence > filteredInsights[j].Confidence } return filteredInsights[i].Priority > filteredInsights[j].Priority }) return filteredInsights, nil } func (ig *InsightGenerator) applyRoleFilters(insights []*RoleSpecificInsight, role *Role) []*RoleSpecificInsight { filtered := []*RoleSpecificInsight{} for _, insight := range insights { // Check security level if insight.SecurityLevel > role.SecurityLevel { continue } // Apply role-specific filtering logic if ig.shouldIncludeInsight(insight, role) { filtered = append(filtered, insight) } } return filtered } func (ig *InsightGenerator) shouldIncludeInsight(insight *RoleSpecificInsight, role *Role) bool { // Role-specific inclusion logic switch role.ID { case "architect": // Architects prefer high-level, strategic insights return insight.Category != "implementation_detail" && insight.Priority >= 3 case "developer": // Developers prefer implementation-focused insights return insight.Category != "strategic_planning" && insight.Confidence >= 0.6 case "security_analyst": // Security analysts want security-related insights securityCategories := []string{"security", "vulnerability", "compliance"} for _, cat := range securityCategories { if insight.Category == cat { return true } } return insight.SecurityLevel >= 6 case "devops_engineer": // DevOps engineers want infrastructure and deployment insights devopsCategories := []string{"infrastructure", "deployment", "monitoring", "automation"} for _, cat := range devopsCategories { if insight.Category == cat { return true } } return false case "qa_engineer": // QA engineers want quality and testing insights qaCategories := []string{"quality", "testing", "validation", "reliability"} for _, cat := range qaCategories { if insight.Category == cat { return true } } return false } return true // Default include } // Access controller methods func NewAccessController() *AccessController { ac := &AccessController{ permissions: NewPermissionMatrix(), sessions: make(map[string]*RoleSession), } return ac } func (ac *AccessController) hasAccess(roleID, action, resource string) bool { ac.mu.RLock() defer ac.mu.RUnlock() // Check role permissions rolePermissions, exists := ac.permissions.RolePermissions[roleID] if !exists { return false } // Simple access check based on action type switch { case strings.HasPrefix(action, "context:"): return ac.checkContextAccess(rolePermissions.ContextAccess, action, resource) case strings.HasPrefix(action, "analysis:"): return ac.checkAnalysisAccess(rolePermissions.AnalysisAccess, action) case strings.HasPrefix(action, "insight:"): return ac.checkInsightAccess(rolePermissions.InsightAccess, action) case strings.HasPrefix(action, "system:"): return ac.checkSystemAccess(rolePermissions.SystemAccess, action) default: return false } } func (ac *AccessController) checkContextAccess(rights *ContextAccessRights, action, resource string) bool { if strings.HasSuffix(action, ":read") { return rights.ReadLevel > 0 && ac.matchesPathRestrictions(resource, rights.PathRestrictions) } if strings.HasSuffix(action, ":write") { return rights.WriteLevel > 0 && ac.matchesPathRestrictions(resource, rights.PathRestrictions) } return false } func (ac *AccessController) checkAnalysisAccess(rights *AnalysisAccessRights, action string) bool { return len(rights.AllowedAnalysisTypes) > 0 } func (ac *AccessController) checkInsightAccess(rights *InsightAccessRights, action string) bool { return rights.GenerationLevel > 0 } func (ac *AccessController) checkSystemAccess(rights *SystemAccessRights, action string) bool { if strings.Contains(action, "admin") { return rights.AdminAccess } if strings.Contains(action, "config") { return rights.ConfigAccess } if strings.Contains(action, "metrics") { return rights.MetricsAccess } if strings.Contains(action, "audit") { return rights.AuditAccess } return false } func (ac *AccessController) matchesPathRestrictions(resource string, restrictions []string) bool { if len(restrictions) == 0 { return true // No restrictions means allowed } for _, restriction := range restrictions { if strings.HasPrefix(resource, restriction) { return false // Matches a restriction, access denied } } return true } // Permission matrix methods func NewPermissionMatrix() *PermissionMatrix { return &PermissionMatrix{ RolePermissions: make(map[string]*RolePermissions), ResourceACL: make(map[string]*ResourceACL), DefaultPolicy: "deny", LastUpdated: time.Now(), } } // Audit logger methods func NewAuditLogger() *AuditLogger { return &AuditLogger{ entries: []*AuditEntry{}, config: &AuditConfig{ LogLevel: "info", MaxEntries: 10000, RetentionPeriod: 90 * 24 * time.Hour, LogToFile: false, EnableMetrics: true, }, } } func (al *AuditLogger) logAccess(roleID, action, resource, result, details string) { al.mu.Lock() defer al.mu.Unlock() entry := &AuditEntry{ ID: fmt.Sprintf("%d", time.Now().UnixNano()), Timestamp: time.Now(), RoleID: roleID, Action: action, Resource: resource, Result: result, Details: details, Context: map[string]interface{}{}, } al.entries = append(al.entries, entry) // Trim old entries if necessary if len(al.entries) > al.config.MaxEntries { al.entries = al.entries[1:] } } func (al *AuditLogger) GetAuditLog(limit int) []*AuditEntry { al.mu.Lock() defer al.mu.Unlock() if limit <= 0 || limit > len(al.entries) { limit = len(al.entries) } // Return most recent entries start := len(al.entries) - limit return al.entries[start:] } // Placeholder implementations for role-specific insight generators // These would be fully implemented with sophisticated logic in production type ArchitectInsightGenerator struct{} func NewArchitectInsightGenerator() *ArchitectInsightGenerator { return &ArchitectInsightGenerator{} } func (aig *ArchitectInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) { return []*RoleSpecificInsight{ { ID: "arch_001", RoleID: role.ID, Category: "architecture", Title: "Architectural Assessment", Content: fmt.Sprintf("Component %s appears to follow good architectural patterns", node.Path), Confidence: 0.8, Priority: 7, SecurityLevel: 5, GeneratedAt: time.Now(), }, }, nil } func (aig *ArchitectInsightGenerator) GetSupportedRoles() []string { return []string{"architect"} } func (aig *ArchitectInsightGenerator) GetInsightTypes() []string { return []string{"architecture", "design", "patterns"} } func (aig *ArchitectInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil } type DeveloperInsightGenerator struct{} func NewDeveloperInsightGenerator() *DeveloperInsightGenerator { return &DeveloperInsightGenerator{} } func (dig *DeveloperInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) { return []*RoleSpecificInsight{ { ID: "dev_001", RoleID: role.ID, Category: "implementation", Title: "Code Quality Assessment", Content: fmt.Sprintf("Code in %s follows good practices", node.Path), Confidence: 0.7, Priority: 6, SecurityLevel: 3, GeneratedAt: time.Now(), }, }, nil } func (dig *DeveloperInsightGenerator) GetSupportedRoles() []string { return []string{"developer"} } func (dig *DeveloperInsightGenerator) GetInsightTypes() []string { return []string{"code_quality", "implementation", "bugs"} } func (dig *DeveloperInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil } type SecurityInsightGenerator struct{} func NewSecurityInsightGenerator() *SecurityInsightGenerator { return &SecurityInsightGenerator{} } func (sig *SecurityInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) { return []*RoleSpecificInsight{ { ID: "sec_001", RoleID: role.ID, Category: "security", Title: "Security Assessment", Content: fmt.Sprintf("No obvious security issues found in %s", node.Path), Confidence: 0.9, Priority: 9, SecurityLevel: 8, GeneratedAt: time.Now(), }, }, nil } func (sig *SecurityInsightGenerator) GetSupportedRoles() []string { return []string{"security_analyst"} } func (sig *SecurityInsightGenerator) GetInsightTypes() []string { return []string{"security", "vulnerability", "compliance"} } func (sig *SecurityInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil } type DevOpsInsightGenerator struct{} func NewDevOpsInsightGenerator() *DevOpsInsightGenerator { return &DevOpsInsightGenerator{} } func (doig *DevOpsInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) { return []*RoleSpecificInsight{ { ID: "devops_001", RoleID: role.ID, Category: "infrastructure", Title: "Infrastructure Assessment", Content: fmt.Sprintf("Component %s appears deployable", node.Path), Confidence: 0.6, Priority: 5, SecurityLevel: 4, GeneratedAt: time.Now(), }, }, nil } func (doig *DevOpsInsightGenerator) GetSupportedRoles() []string { return []string{"devops_engineer"} } func (doig *DevOpsInsightGenerator) GetInsightTypes() []string { return []string{"infrastructure", "deployment", "monitoring"} } func (doig *DevOpsInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil } type QAInsightGenerator struct{} func NewQAInsightGenerator() *QAInsightGenerator { return &QAInsightGenerator{} } func (qaig *QAInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) { return []*RoleSpecificInsight{ { ID: "qa_001", RoleID: role.ID, Category: "quality", Title: "Quality Assessment", Content: fmt.Sprintf("Component %s meets quality standards", node.Path), Confidence: 0.75, Priority: 4, SecurityLevel: 3, GeneratedAt: time.Now(), }, }, nil } func (qaig *QAInsightGenerator) GetSupportedRoles() []string { return []string{"qa_engineer"} } func (qaig *QAInsightGenerator) GetInsightTypes() []string { return []string{"quality", "testing", "validation"} } func (qaig *QAInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil }