tony/bzzz
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
bzzz/pkg/slurp/intelligence/role_aware_processor.go
anthonyrawlins d96c931a29 Resolve import cycles and migrate to chorus.services module path 
This comprehensive refactoring addresses critical architectural issues:

IMPORT CYCLE RESOLUTION:
• pkg/crypto ↔ pkg/slurp/roles: Created pkg/security/access_levels.go
• pkg/ucxl → pkg/dht: Created pkg/storage/interfaces.go
• pkg/slurp/leader → pkg/election → pkg/slurp/storage: Moved types to pkg/election/interfaces.go

MODULE PATH MIGRATION:
• Changed from github.com/anthonyrawlins/bzzz to chorus.services/bzzz
• Updated all import statements across 115+ files
• Maintains compatibility while removing personal GitHub account dependency

TYPE SYSTEM IMPROVEMENTS:
• Resolved duplicate type declarations in crypto package
• Added missing type definitions (RoleStatus, TimeRestrictions, KeyStatus, KeyRotationResult)
• Proper interface segregation to prevent future cycles

ARCHITECTURAL BENEFITS:
• Build now progresses past structural issues to normal dependency resolution
• Cleaner separation of concerns between packages
• Eliminates circular dependencies that prevented compilation
• Establishes foundation for scalable codebase growth

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-17 10:04:25 +10:00

1279 lines
44 KiB
Go
Raw Permalink Blame History

package intelligence
import (
"context"
"fmt"
"sort"
"strings"
"sync"
"time"
"chorus.services/bzzz/pkg/crypto"
slurpContext "chorus.services/bzzz/pkg/slurp/context"
)
// RoleAwareProcessor provides role-based context processing and insight generation
type RoleAwareProcessor struct {
mu sync.RWMutex
config *EngineConfig
roleManager *RoleManager
securityFilter *SecurityFilter
insightGenerator *InsightGenerator
accessController *AccessController
auditLogger *AuditLogger
permissions *PermissionMatrix
roleProfiles map[string]*RoleProfile
}
// RoleManager manages role definitions and hierarchies
type RoleManager struct {
roles map[string]*Role
hierarchies map[string]*RoleHierarchy
capabilities map[string]*RoleCapabilities
restrictions map[string]*RoleRestrictions
}
// Role represents an AI agent role with specific permissions and capabilities
type Role struct {
ID string `json:"id"`
Name string `json:"name"`
Description string `json:"description"`
SecurityLevel int `json:"security_level"`
Capabilities []string `json:"capabilities"`
Restrictions []string `json:"restrictions"`
AccessPatterns []string `json:"access_patterns"`
ContextFilters []string `json:"context_filters"`
Priority int `json:"priority"`
ParentRoles []string `json:"parent_roles"`
ChildRoles []string `json:"child_roles"`
Metadata map[string]interface{} `json:"metadata"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
IsActive bool `json:"is_active"`
}
// RoleHierarchy defines role inheritance and relationships
type RoleHierarchy struct {
ParentRole string `json:"parent_role"`
ChildRoles []string `json:"child_roles"`
InheritLevel int `json:"inherit_level"`
OverrideRules []string `json:"override_rules"`
}
// RoleCapabilities defines what a role can do
type RoleCapabilities struct {
RoleID string `json:"role_id"`
ReadAccess []string `json:"read_access"`
WriteAccess []string `json:"write_access"`
ExecuteAccess []string `json:"execute_access"`
AnalysisTypes []string `json:"analysis_types"`
InsightLevels []string `json:"insight_levels"`
SecurityScopes []string `json:"security_scopes"`
DataClassifications []string `json:"data_classifications"`
}
// RoleRestrictions defines what a role cannot do or access
type RoleRestrictions struct {
RoleID string `json:"role_id"`
ForbiddenPaths []string `json:"forbidden_paths"`
ForbiddenTypes []string `json:"forbidden_types"`
ForbiddenKeywords []string `json:"forbidden_keywords"`
TimeRestrictions []string `json:"time_restrictions"`
RateLimit *RateLimit `json:"rate_limit"`
MaxContextSize int `json:"max_context_size"`
MaxInsights int `json:"max_insights"`
}
// RateLimit defines rate limiting for role operations
type RateLimit struct {
RequestsPerMinute int `json:"requests_per_minute"`
RequestsPerHour int `json:"requests_per_hour"`
BurstSize int `json:"burst_size"`
WindowSize time.Duration `json:"window_size"`
}
// SecurityFilter filters content based on role security levels
type SecurityFilter struct {
classificationLevels map[string]int
contentFilters map[string]*ContentFilter
accessMatrix *AccessMatrix
}
// ContentFilter defines content filtering rules
type ContentFilter struct {
FilterID string `json:"filter_id"`
FilterType string `json:"filter_type"`
Patterns []string `json:"patterns"`
ReplacementText string `json:"replacement_text"`
SecurityLevel int `json:"security_level"`
ApplyToRoles []string `json:"apply_to_roles"`
}
// AccessMatrix defines access control rules
type AccessMatrix struct {
Rules map[string]*AccessRule `json:"rules"`
DefaultDeny bool `json:"default_deny"`
LastUpdated time.Time `json:"last_updated"`
}
// AccessRule defines a specific access control rule
type AccessRule struct {
RuleID string `json:"rule_id"`
Roles []string `json:"roles"`
ResourcePattern string `json:"resource_pattern"`
Actions []string `json:"actions"`
Conditions []string `json:"conditions"`
Effect string `json:"effect"` // allow, deny
Priority int `json:"priority"`
}
// InsightGenerator generates role-specific insights
type InsightGenerator struct {
generators map[string]RoleInsightGenerator
templates map[string]*InsightTemplate
filters map[string]*InsightFilter
}
// RoleInsightGenerator interface for role-specific insight generation
type RoleInsightGenerator interface {
GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error)
GetSupportedRoles() []string
GetInsightTypes() []string
ValidateContext(node *slurpContext.ContextNode, role *Role) error
}
// InsightTemplate defines templates for generating insights
type InsightTemplate struct {
TemplateID string `json:"template_id"`
Name string `json:"name"`
Template string `json:"template"`
Variables []string `json:"variables"`
Roles []string `json:"roles"`
Category string `json:"category"`
Priority int `json:"priority"`
Metadata map[string]interface{} `json:"metadata"`
}
// InsightFilter filters insights based on role permissions
type InsightFilter struct {
FilterID string `json:"filter_id"`
ApplicableRoles []string `json:"applicable_roles"`
FilterRules []string `json:"filter_rules"`
SecurityLevel int `json:"security_level"`
}
// AccessController manages access control for role-based operations
type AccessController struct {
permissions *PermissionMatrix
sessions map[string]*RoleSession
mu sync.RWMutex
}
// PermissionMatrix defines comprehensive permissions for roles
type PermissionMatrix struct {
RolePermissions map[string]*RolePermissions `json:"role_permissions"`
ResourceACL map[string]*ResourceACL `json:"resource_acl"`
DefaultPolicy string `json:"default_policy"`
LastUpdated time.Time `json:"last_updated"`
}
// RolePermissions defines permissions for a specific role
type RolePermissions struct {
RoleID string `json:"role_id"`
ContextAccess *ContextAccessRights `json:"context_access"`
AnalysisAccess *AnalysisAccessRights `json:"analysis_access"`
InsightAccess *InsightAccessRights `json:"insight_access"`
SystemAccess *SystemAccessRights `json:"system_access"`
CustomAccess map[string]interface{} `json:"custom_access"`
}
// ContextAccessRights defines context-related access rights
type ContextAccessRights struct {
ReadLevel int `json:"read_level"`
WriteLevel int `json:"write_level"`
AllowedTypes []string `json:"allowed_types"`
ForbiddenTypes []string `json:"forbidden_types"`
PathRestrictions []string `json:"path_restrictions"`
SizeLimit int `json:"size_limit"`
}
// AnalysisAccessRights defines analysis-related access rights
type AnalysisAccessRights struct {
AllowedAnalysisTypes []string `json:"allowed_analysis_types"`
MaxComplexity int `json:"max_complexity"`
TimeoutLimit time.Duration `json:"timeout_limit"`
ResourceLimit int `json:"resource_limit"`
}
// InsightAccessRights defines insight-related access rights
type InsightAccessRights struct {
GenerationLevel int `json:"generation_level"`
AccessLevel int `json:"access_level"`
CategoryFilters []string `json:"category_filters"`
ConfidenceThreshold float64 `json:"confidence_threshold"`
MaxInsights int `json:"max_insights"`
}
// SystemAccessRights defines system-level access rights
type SystemAccessRights struct {
AdminAccess bool `json:"admin_access"`
ConfigAccess bool `json:"config_access"`
MetricsAccess bool `json:"metrics_access"`
AuditAccess bool `json:"audit_access"`
AllowedCommands []string `json:"allowed_commands"`
}
// ResourceACL defines access control for specific resources
type ResourceACL struct {
ResourceID string `json:"resource_id"`
ResourceType string `json:"resource_type"`
RoleAccess map[string]string `json:"role_access"` // role_id -> access_level
DefaultAccess string `json:"default_access"`
RequiredClaims []string `json:"required_claims"`
}
// RoleSession represents an active role session
type RoleSession struct {
SessionID string `json:"session_id"`
RoleID string `json:"role_id"`
UserID string `json:"user_id"`
CreatedAt time.Time `json:"created_at"`
LastAccess time.Time `json:"last_access"`
ExpiresAt time.Time `json:"expires_at"`
Permissions *RolePermissions `json:"permissions"`
Context map[string]interface{} `json:"context"`
IsActive bool `json:"is_active"`
}
// AuditLogger logs role-based access and operations
type AuditLogger struct {
mu sync.Mutex
entries []*AuditEntry
config *AuditConfig
}
// AuditEntry represents an audit log entry
type AuditEntry struct {
ID string `json:"id"`
Timestamp time.Time `json:"timestamp"`
RoleID string `json:"role_id"`
Action string `json:"action"`
Resource string `json:"resource"`
Result string `json:"result"` // success, denied, error
Details string `json:"details"`
Context map[string]interface{} `json:"context"`
SecurityLevel int `json:"security_level"`
}
// AuditConfig defines audit logging configuration
type AuditConfig struct {
LogLevel string `json:"log_level"`
MaxEntries int `json:"max_entries"`
RetentionPeriod time.Duration `json:"retention_period"`
LogToFile bool `json:"log_to_file"`
LogFile string `json:"log_file"`
EnableMetrics bool `json:"enable_metrics"`
}
// RoleProfile contains comprehensive role configuration
type RoleProfile struct {
Role *Role `json:"role"`
Capabilities *RoleCapabilities `json:"capabilities"`
Restrictions *RoleRestrictions `json:"restrictions"`
Permissions *RolePermissions `json:"permissions"`
InsightConfig *RoleInsightConfig `json:"insight_config"`
SecurityConfig *RoleSecurityConfig `json:"security_config"`
}
// RoleInsightConfig defines insight generation configuration for a role
type RoleInsightConfig struct {
EnabledGenerators []string `json:"enabled_generators"`
MaxInsights int `json:"max_insights"`
ConfidenceThreshold float64 `json:"confidence_threshold"`
CategoryWeights map[string]float64 `json:"category_weights"`
CustomFilters []string `json:"custom_filters"`
}
// RoleSecurityConfig defines security configuration for a role
type RoleSecurityConfig struct {
EncryptionRequired bool `json:"encryption_required"`
AccessLogging bool `json:"access_logging"`
RateLimit *RateLimit `json:"rate_limit"`
IPWhitelist []string `json:"ip_whitelist"`
RequiredClaims []string `json:"required_claims"`
}
// RoleSpecificInsight represents an insight tailored to a specific role
type RoleSpecificInsight struct {
ID string `json:"id"`
RoleID string `json:"role_id"`
Category string `json:"category"`
Title string `json:"title"`
Content string `json:"content"`
Confidence float64 `json:"confidence"`
Priority int `json:"priority"`
SecurityLevel int `json:"security_level"`
Tags []string `json:"tags"`
ActionItems []string `json:"action_items"`
References []string `json:"references"`
Metadata map[string]interface{} `json:"metadata"`
GeneratedAt time.Time `json:"generated_at"`
ExpiresAt *time.Time `json:"expires_at,omitempty"`
}
// NewRoleAwareProcessor creates a new role-aware processor
func NewRoleAwareProcessor(config *EngineConfig) *RoleAwareProcessor {
processor := &RoleAwareProcessor{
config: config,
roleManager: NewRoleManager(),
securityFilter: NewSecurityFilter(),
insightGenerator: NewInsightGenerator(),
accessController: NewAccessController(),
auditLogger: NewAuditLogger(),
permissions: NewPermissionMatrix(),
roleProfiles: make(map[string]*RoleProfile),
}
// Initialize default roles
processor.initializeDefaultRoles()
return processor
}
// NewRoleManager creates a role manager with default roles
func NewRoleManager() *RoleManager {
rm := &RoleManager{
roles: make(map[string]*Role),
hierarchies: make(map[string]*RoleHierarchy),
capabilities: make(map[string]*RoleCapabilities),
restrictions: make(map[string]*RoleRestrictions),
}
// Initialize with default roles
rm.loadDefaultRoles()
return rm
}
// ProcessContextForRole processes context specifically for a given role
func (rap *RoleAwareProcessor) ProcessContextForRole(ctx context.Context, node *slurpContext.ContextNode, roleID string) (*slurpContext.ContextNode, error) {
// Validate role exists and is active
role, err := rap.roleManager.getRole(roleID)
if err != nil {
return nil, fmt.Errorf("invalid role: %w", err)
}
// Check access permissions
if !rap.accessController.hasAccess(roleID, "context:read", node.Path) {
rap.auditLogger.logAccess(roleID, "context:read", node.Path, "denied", "insufficient permissions")
return nil, fmt.Errorf("access denied for role %s", roleID)
}
// Apply security filters
filteredNode, err := rap.securityFilter.filterForRole(node, role)
if err != nil {
rap.auditLogger.logAccess(roleID, "context:filter", node.Path, "error", err.Error())
return nil, fmt.Errorf("failed to apply security filters: %w", err)
}
// Generate role-specific insights
insights, err := rap.insightGenerator.generateForRole(ctx, filteredNode, role)
if err != nil {
// Log error but continue - insights are not critical
rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "error", err.Error())
}
// Apply insights to node
if len(insights) > 0 {
filteredNode.RoleSpecificInsights = insights
filteredNode.ProcessedForRole = roleID
}
// Log successful processing
rap.auditLogger.logAccess(roleID, "context:process", node.Path, "success",
fmt.Sprintf("processed with %d insights", len(insights)))
return filteredNode, nil
}
// GenerateRoleSpecificInsights generates insights tailored to a specific role
func (rap *RoleAwareProcessor) GenerateRoleSpecificInsights(ctx context.Context, node *slurpContext.ContextNode, roleID string) ([]*RoleSpecificInsight, error) {
role, err := rap.roleManager.getRole(roleID)
if err != nil {
return nil, fmt.Errorf("invalid role: %w", err)
}
// Check insight generation permissions
if !rap.accessController.hasAccess(roleID, "insight:generate", node.Path) {
rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "denied", "insufficient permissions")
return nil, fmt.Errorf("insight generation denied for role %s", roleID)
}
insights, err := rap.insightGenerator.generateForRole(ctx, node, role)
if err != nil {
rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "error", err.Error())
return nil, err
}
rap.auditLogger.logAccess(roleID, "insight:generate", node.Path, "success",
fmt.Sprintf("generated %d insights", len(insights)))
return insights, nil
}
// FilterContextForRole filters context content based on role restrictions
func (rap *RoleAwareProcessor) FilterContextForRole(node *slurpContext.ContextNode, roleID string) (*slurpContext.ContextNode, error) {
role, err := rap.roleManager.getRole(roleID)
if err != nil {
return nil, fmt.Errorf("invalid role: %w", err)
}
return rap.securityFilter.filterForRole(node, role)
}
// ValidateRoleAccess validates if a role can access a specific resource
func (rap *RoleAwareProcessor) ValidateRoleAccess(roleID, action, resource string) error {
if !rap.accessController.hasAccess(roleID, action, resource) {
rap.auditLogger.logAccess(roleID, action, resource, "denied", "access validation failed")
return fmt.Errorf("access denied: role %s cannot %s resource %s", roleID, action, resource)
}
return nil
}
// GetRoleCapabilities returns the capabilities for a specific role
func (rap *RoleAwareProcessor) GetRoleCapabilities(roleID string) (*RoleCapabilities, error) {
return rap.roleManager.getRoleCapabilities(roleID)
}
// Initialize default roles
func (rap *RoleAwareProcessor) initializeDefaultRoles() {
defaultRoles := []*Role{
{
ID: "architect",
Name: "System Architect",
Description: "High-level system design and architecture decisions",
SecurityLevel: 8,
Capabilities: []string{"architecture_design", "high_level_analysis", "strategic_planning"},
Restrictions: []string{"no_implementation_details", "no_low_level_code"},
AccessPatterns: []string{"architecture/**", "design/**", "docs/**"},
Priority: 1,
IsActive: true,
CreatedAt: time.Now(),
},
{
ID: "developer",
Name: "Software Developer",
Description: "Code implementation and development tasks",
SecurityLevel: 6,
Capabilities: []string{"code_analysis", "implementation", "debugging", "testing"},
Restrictions: []string{"no_architecture_changes", "no_security_config"},
AccessPatterns: []string{"src/**", "lib/**", "test/**"},
Priority: 2,
IsActive: true,
CreatedAt: time.Now(),
},
{
ID: "security_analyst",
Name: "Security Analyst",
Description: "Security analysis and vulnerability assessment",
SecurityLevel: 9,
Capabilities: []string{"security_analysis", "vulnerability_assessment", "compliance_check"},
Restrictions: []string{"no_code_modification"},
AccessPatterns: []string{"**/*"},
Priority: 1,
IsActive: true,
CreatedAt: time.Now(),
},
{
ID: "devops_engineer",
Name: "DevOps Engineer",
Description: "Infrastructure and deployment operations",
SecurityLevel: 7,
Capabilities: []string{"infrastructure_analysis", "deployment", "monitoring", "ci_cd"},
Restrictions: []string{"no_business_logic"},
AccessPatterns: []string{"infra/**", "deploy/**", "config/**", "docker/**"},
Priority: 2,
IsActive: true,
CreatedAt: time.Now(),
},
{
ID: "qa_engineer",
Name: "Quality Assurance Engineer",
Description: "Quality assurance and testing",
SecurityLevel: 5,
Capabilities: []string{"quality_analysis", "testing", "test_planning"},
Restrictions: []string{"no_production_access", "no_code_modification"},
AccessPatterns: []string{"test/**", "spec/**", "qa/**"},
Priority: 3,
IsActive: true,
CreatedAt: time.Now(),
},
}
for _, role := range defaultRoles {
rap.roleProfiles[role.ID] = &RoleProfile{
Role: role,
Capabilities: rap.createDefaultCapabilities(role),
Restrictions: rap.createDefaultRestrictions(role),
Permissions: rap.createDefaultPermissions(role),
InsightConfig: rap.createDefaultInsightConfig(role),
SecurityConfig: rap.createDefaultSecurityConfig(role),
}
rap.roleManager.roles[role.ID] = role
}
}
// Helper methods for creating default configurations
func (rap *RoleAwareProcessor) createDefaultCapabilities(role *Role) *RoleCapabilities {
baseCapabilities := &RoleCapabilities{
RoleID: role.ID,
ReadAccess: role.AccessPatterns,
AnalysisTypes: role.Capabilities,
SecurityScopes: []string{"public"},
DataClassifications: []string{"internal"},
}
// Role-specific customizations
switch role.ID {
case "architect":
baseCapabilities.WriteAccess = []string{"architecture/**", "design/**"}
baseCapabilities.ExecuteAccess = []string{"design_tools", "modeling"}
baseCapabilities.InsightLevels = []string{"strategic", "architectural", "high_level"}
baseCapabilities.SecurityScopes = []string{"public", "internal", "confidential"}
case "developer":
baseCapabilities.WriteAccess = []string{"src/**", "test/**"}
baseCapabilities.ExecuteAccess = []string{"compile", "test", "debug"}
baseCapabilities.InsightLevels = []string{"implementation", "code_quality", "performance"}
case "security_analyst":
baseCapabilities.ReadAccess = []string{"**/*"}
baseCapabilities.InsightLevels = []string{"security", "vulnerability", "compliance"}
baseCapabilities.SecurityScopes = []string{"public", "internal", "confidential", "secret"}
baseCapabilities.DataClassifications = []string{"public", "internal", "confidential", "restricted"}
case "devops_engineer":
baseCapabilities.WriteAccess = []string{"infra/**", "deploy/**", "config/**"}
baseCapabilities.ExecuteAccess = []string{"deploy", "configure", "monitor"}
baseCapabilities.InsightLevels = []string{"infrastructure", "deployment", "monitoring"}
case "qa_engineer":
baseCapabilities.WriteAccess = []string{"test/**", "qa/**"}
baseCapabilities.ExecuteAccess = []string{"test", "validate"}
baseCapabilities.InsightLevels = []string{"quality", "testing", "validation"}
}
return baseCapabilities
}
func (rap *RoleAwareProcessor) createDefaultRestrictions(role *Role) *RoleRestrictions {
baseRestrictions := &RoleRestrictions{
RoleID: role.ID,
ForbiddenPaths: []string{"secrets/**", "private/**"},
TimeRestrictions: []string{},
RateLimit: &RateLimit{
RequestsPerMinute: 60,
RequestsPerHour: 1000,
BurstSize: 10,
WindowSize: time.Minute,
},
MaxContextSize: 10000,
MaxInsights: 50,
}
// Role-specific restrictions
switch role.ID {
case "architect":
// Architects have fewer restrictions
baseRestrictions.MaxContextSize = 50000
baseRestrictions.MaxInsights = 100
case "developer":
baseRestrictions.ForbiddenPaths = append(baseRestrictions.ForbiddenPaths, "architecture/**", "security/**")
baseRestrictions.ForbiddenTypes = []string{"security_config", "deployment_config"}
case "security_analyst":
// Security analysts have minimal path restrictions but keyword restrictions
baseRestrictions.ForbiddenPaths = []string{"temp/**"}
baseRestrictions.ForbiddenKeywords = []string{"password", "secret", "key"}
baseRestrictions.MaxContextSize = 100000
case "devops_engineer":
baseRestrictions.ForbiddenPaths = append(baseRestrictions.ForbiddenPaths, "src/**")
baseRestrictions.ForbiddenTypes = []string{"business_logic", "user_data"}
case "qa_engineer":
baseRestrictions.ForbiddenPaths = append(baseRestrictions.ForbiddenPaths, "src/**", "infra/**")
baseRestrictions.ForbiddenTypes = []string{"production_config", "security_config"}
baseRestrictions.RateLimit.RequestsPerHour = 500 // Lower limit for QA
}
return baseRestrictions
}
func (rap *RoleAwareProcessor) createDefaultPermissions(role *Role) *RolePermissions {
return &RolePermissions{
RoleID: role.ID,
ContextAccess: &ContextAccessRights{
ReadLevel: role.SecurityLevel,
WriteLevel: role.SecurityLevel - 2,
AllowedTypes: []string{"code", "documentation", "configuration"},
SizeLimit: 1000000,
},
AnalysisAccess: &AnalysisAccessRights{
AllowedAnalysisTypes: role.Capabilities,
MaxComplexity: 8,
TimeoutLimit: 5 * time.Minute,
ResourceLimit: 100,
},
InsightAccess: &InsightAccessRights{
GenerationLevel: role.SecurityLevel,
AccessLevel: role.SecurityLevel,
ConfidenceThreshold: 0.5,
MaxInsights: 50,
},
SystemAccess: &SystemAccessRights{
AdminAccess: role.SecurityLevel >= 8,
ConfigAccess: role.SecurityLevel >= 7,
MetricsAccess: true,
AuditAccess: role.SecurityLevel >= 6,
},
}
}
func (rap *RoleAwareProcessor) createDefaultInsightConfig(role *Role) *RoleInsightConfig {
config := &RoleInsightConfig{
MaxInsights: 50,
ConfidenceThreshold: 0.5,
CategoryWeights: make(map[string]float64),
CustomFilters: []string{},
}
// Role-specific insight configurations
switch role.ID {
case "architect":
config.EnabledGenerators = []string{"architecture_insights", "design_patterns", "system_analysis"}
config.CategoryWeights = map[string]float64{
"architecture": 1.0,
"design": 0.9,
"performance": 0.7,
"scalability": 0.9,
}
config.MaxInsights = 100
case "developer":
config.EnabledGenerators = []string{"code_insights", "implementation_suggestions", "bug_detection"}
config.CategoryWeights = map[string]float64{
"code_quality": 1.0,
"implementation": 0.9,
"bugs": 0.8,
"performance": 0.6,
}
case "security_analyst":
config.EnabledGenerators = []string{"security_insights", "vulnerability_analysis", "compliance_check"}
config.CategoryWeights = map[string]float64{
"security": 1.0,
"vulnerabilities": 1.0,
"compliance": 0.9,
"privacy": 0.8,
}
config.MaxInsights = 200
case "devops_engineer":
config.EnabledGenerators = []string{"infrastructure_insights", "deployment_analysis", "monitoring_suggestions"}
config.CategoryWeights = map[string]float64{
"infrastructure": 1.0,
"deployment": 0.9,
"monitoring": 0.8,
"automation": 0.7,
}
case "qa_engineer":
config.EnabledGenerators = []string{"quality_insights", "test_suggestions", "validation_analysis"}
config.CategoryWeights = map[string]float64{
"quality": 1.0,
"testing": 0.9,
"validation": 0.8,
"reliability": 0.7,
}
}
return config
}
func (rap *RoleAwareProcessor) createDefaultSecurityConfig(role *Role) *RoleSecurityConfig {
return &RoleSecurityConfig{
EncryptionRequired: role.SecurityLevel >= 8,
AccessLogging: true,
RateLimit: &RateLimit{
RequestsPerMinute: 60,
RequestsPerHour: 1000,
BurstSize: 10,
WindowSize: time.Minute,
},
IPWhitelist: []string{},
RequiredClaims: []string{"role_verified", "session_valid"},
}
}
// Role manager methods
func (rm *RoleManager) loadDefaultRoles() {
// Default roles are loaded in initializeDefaultRoles
}
func (rm *RoleManager) getRole(roleID string) (*Role, error) {
role, exists := rm.roles[roleID]
if !exists || !role.IsActive {
return nil, fmt.Errorf("role not found or inactive: %s", roleID)
}
return role, nil
}
func (rm *RoleManager) getRoleCapabilities(roleID string) (*RoleCapabilities, error) {
capabilities, exists := rm.capabilities[roleID]
if !exists {
return nil, fmt.Errorf("capabilities not found for role: %s", roleID)
}
return capabilities, nil
}
// Security filter methods
func NewSecurityFilter() *SecurityFilter {
return &SecurityFilter{
classificationLevels: map[string]int{
"public": 1,
"internal": 3,
"confidential": 6,
"secret": 8,
"top_secret": 10,
},
contentFilters: make(map[string]*ContentFilter),
accessMatrix: &AccessMatrix{
Rules: make(map[string]*AccessRule),
DefaultDeny: true,
LastUpdated: time.Now(),
},
}
}
func (sf *SecurityFilter) filterForRole(node *slurpContext.ContextNode, role *Role) (*slurpContext.ContextNode, error) {
filtered := node.Clone()
// Apply content filtering based on role security level
filtered.Summary = sf.filterContent(node.Summary, role)
filtered.Purpose = sf.filterContent(node.Purpose, role)
// Filter insights based on role access level
filteredInsights := []string{}
for _, insight := range node.Insights {
if sf.canAccessInsight(insight, role) {
filteredInsights = append(filteredInsights, sf.filterContent(insight, role))
}
}
filtered.Insights = filteredInsights
// Filter technologies based on role restrictions
filtered.Technologies = sf.filterTechnologies(node.Technologies, role)
// Filter tags
filtered.Tags = sf.filterTags(node.Tags, role)
// Add security metadata
if filtered.Metadata == nil {
filtered.Metadata = make(map[string]interface{})
}
filtered.Metadata["filtered_for_role"] = role.ID
filtered.Metadata["security_level_applied"] = role.SecurityLevel
return filtered, nil
}
func (sf *SecurityFilter) filterContent(content string, role *Role) string {
// Simple content filtering - in production would be more sophisticated
filteredContent := content
// Apply role-specific content filters
if role.SecurityLevel < 8 {
// Remove sensitive patterns for lower security levels
sensitivePatterns := []string{
"password", "secret", "key", "token", "credential",
"private", "confidential", "restricted",
}
for _, pattern := range sensitivePatterns {
if strings.Contains(strings.ToLower(filteredContent), pattern) {
filteredContent = strings.ReplaceAll(filteredContent, pattern, "[REDACTED]")
}
}
}
return filteredContent
}
func (sf *SecurityFilter) canAccessInsight(insight string, role *Role) bool {
// Check if role can access this type of insight
lowerInsight := strings.ToLower(insight)
// Security analysts can see all insights
if role.ID == "security_analyst" {
return true
}
// Architects can see high-level insights
if role.ID == "architect" {
restrictedPatterns := []string{"implementation detail", "low-level", "code-specific"}
for _, pattern := range restrictedPatterns {
if strings.Contains(lowerInsight, pattern) {
return false
}
}
return true
}
// Developers can see implementation insights but not architectural decisions
if role.ID == "developer" {
restrictedPatterns := []string{"strategic", "architectural decision", "business"}
for _, pattern := range restrictedPatterns {
if strings.Contains(lowerInsight, pattern) {
return false
}
}
return true
}
return true // Default allow for other roles
}
func (sf *SecurityFilter) filterTechnologies(technologies []string, role *Role) []string {
filtered := []string{}
for _, tech := range technologies {
if sf.canAccessTechnology(tech, role) {
filtered = append(filtered, tech)
}
}
return filtered
}
func (sf *SecurityFilter) canAccessTechnology(technology string, role *Role) bool {
// Role-specific technology access rules
lowerTech := strings.ToLower(technology)
switch role.ID {
case "qa_engineer":
// QA engineers shouldn't see infrastructure technologies
infraTechs := []string{"kubernetes", "docker", "terraform", "ansible"}
for _, infraTech := range infraTechs {
if strings.Contains(lowerTech, infraTech) {
return false
}
}
case "developer":
// Developers shouldn't see deployment/infrastructure details
restrictedTechs := []string{"production", "deployment", "monitoring"}
for _, restricted := range restrictedTechs {
if strings.Contains(lowerTech, restricted) {
return false
}
}
}
return true
}
func (sf *SecurityFilter) filterTags(tags []string, role *Role) []string {
filtered := []string{}
for _, tag := range tags {
if sf.canAccessTag(tag, role) {
filtered = append(filtered, tag)
}
}
return filtered
}
func (sf *SecurityFilter) canAccessTag(tag string, role *Role) bool {
// Simple tag filtering based on role
lowerTag := strings.ToLower(tag)
// Security-related tags only for security analysts and architects
securityTags := []string{"security", "vulnerability", "encryption", "authentication"}
for _, secTag := range securityTags {
if strings.Contains(lowerTag, secTag) && role.SecurityLevel < 7 {
return false
}
}
return true
}
// Insight generator methods
func NewInsightGenerator() *InsightGenerator {
ig := &InsightGenerator{
generators: make(map[string]RoleInsightGenerator),
templates: make(map[string]*InsightTemplate),
filters: make(map[string]*InsightFilter),
}
// Initialize role-specific generators
ig.initializeGenerators()
return ig
}
func (ig *InsightGenerator) initializeGenerators() {
// Initialize generators for different roles
ig.generators["architect"] = NewArchitectInsightGenerator()
ig.generators["developer"] = NewDeveloperInsightGenerator()
ig.generators["security_analyst"] = NewSecurityInsightGenerator()
ig.generators["devops_engineer"] = NewDevOpsInsightGenerator()
ig.generators["qa_engineer"] = NewQAInsightGenerator()
}
func (ig *InsightGenerator) generateForRole(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) {
generator, exists := ig.generators[role.ID]
if !exists {
return nil, fmt.Errorf("no insight generator found for role: %s", role.ID)
}
// Validate context for this role
if err := generator.ValidateContext(node, role); err != nil {
return nil, fmt.Errorf("context validation failed: %w", err)
}
// Generate insights
insights, err := generator.GenerateInsights(ctx, node, role)
if err != nil {
return nil, fmt.Errorf("insight generation failed: %w", err)
}
// Apply role-specific filters
filteredInsights := ig.applyRoleFilters(insights, role)
// Sort by priority and confidence
sort.Slice(filteredInsights, func(i, j int) bool {
if filteredInsights[i].Priority == filteredInsights[j].Priority {
return filteredInsights[i].Confidence > filteredInsights[j].Confidence
}
return filteredInsights[i].Priority > filteredInsights[j].Priority
})
return filteredInsights, nil
}
func (ig *InsightGenerator) applyRoleFilters(insights []*RoleSpecificInsight, role *Role) []*RoleSpecificInsight {
filtered := []*RoleSpecificInsight{}
for _, insight := range insights {
// Check security level
if insight.SecurityLevel > role.SecurityLevel {
continue
}
// Apply role-specific filtering logic
if ig.shouldIncludeInsight(insight, role) {
filtered = append(filtered, insight)
}
}
return filtered
}
func (ig *InsightGenerator) shouldIncludeInsight(insight *RoleSpecificInsight, role *Role) bool {
// Role-specific inclusion logic
switch role.ID {
case "architect":
// Architects prefer high-level, strategic insights
return insight.Category != "implementation_detail" && insight.Priority >= 3
case "developer":
// Developers prefer implementation-focused insights
return insight.Category != "strategic_planning" && insight.Confidence >= 0.6
case "security_analyst":
// Security analysts want security-related insights
securityCategories := []string{"security", "vulnerability", "compliance"}
for _, cat := range securityCategories {
if insight.Category == cat {
return true
}
}
return insight.SecurityLevel >= 6
case "devops_engineer":
// DevOps engineers want infrastructure and deployment insights
devopsCategories := []string{"infrastructure", "deployment", "monitoring", "automation"}
for _, cat := range devopsCategories {
if insight.Category == cat {
return true
}
}
return false
case "qa_engineer":
// QA engineers want quality and testing insights
qaCategories := []string{"quality", "testing", "validation", "reliability"}
for _, cat := range qaCategories {
if insight.Category == cat {
return true
}
}
return false
}
return true // Default include
}
// Access controller methods
func NewAccessController() *AccessController {
ac := &AccessController{
permissions: NewPermissionMatrix(),
sessions: make(map[string]*RoleSession),
}
return ac
}
func (ac *AccessController) hasAccess(roleID, action, resource string) bool {
ac.mu.RLock()
defer ac.mu.RUnlock()
// Check role permissions
rolePermissions, exists := ac.permissions.RolePermissions[roleID]
if !exists {
return false
}
// Simple access check based on action type
switch {
case strings.HasPrefix(action, "context:"):
return ac.checkContextAccess(rolePermissions.ContextAccess, action, resource)
case strings.HasPrefix(action, "analysis:"):
return ac.checkAnalysisAccess(rolePermissions.AnalysisAccess, action)
case strings.HasPrefix(action, "insight:"):
return ac.checkInsightAccess(rolePermissions.InsightAccess, action)
case strings.HasPrefix(action, "system:"):
return ac.checkSystemAccess(rolePermissions.SystemAccess, action)
default:
return false
}
}
func (ac *AccessController) checkContextAccess(rights *ContextAccessRights, action, resource string) bool {
if strings.HasSuffix(action, ":read") {
return rights.ReadLevel > 0 && ac.matchesPathRestrictions(resource, rights.PathRestrictions)
}
if strings.HasSuffix(action, ":write") {
return rights.WriteLevel > 0 && ac.matchesPathRestrictions(resource, rights.PathRestrictions)
}
return false
}
func (ac *AccessController) checkAnalysisAccess(rights *AnalysisAccessRights, action string) bool {
return len(rights.AllowedAnalysisTypes) > 0
}
func (ac *AccessController) checkInsightAccess(rights *InsightAccessRights, action string) bool {
return rights.GenerationLevel > 0
}
func (ac *AccessController) checkSystemAccess(rights *SystemAccessRights, action string) bool {
if strings.Contains(action, "admin") {
return rights.AdminAccess
}
if strings.Contains(action, "config") {
return rights.ConfigAccess
}
if strings.Contains(action, "metrics") {
return rights.MetricsAccess
}
if strings.Contains(action, "audit") {
return rights.AuditAccess
}
return false
}
func (ac *AccessController) matchesPathRestrictions(resource string, restrictions []string) bool {
if len(restrictions) == 0 {
return true // No restrictions means allowed
}
for _, restriction := range restrictions {
if strings.HasPrefix(resource, restriction) {
return false // Matches a restriction, access denied
}
}
return true
}
// Permission matrix methods
func NewPermissionMatrix() *PermissionMatrix {
return &PermissionMatrix{
RolePermissions: make(map[string]*RolePermissions),
ResourceACL: make(map[string]*ResourceACL),
DefaultPolicy: "deny",
LastUpdated: time.Now(),
}
}
// Audit logger methods
func NewAuditLogger() *AuditLogger {
return &AuditLogger{
entries: []*AuditEntry{},
config: &AuditConfig{
LogLevel: "info",
MaxEntries: 10000,
RetentionPeriod: 90 * 24 * time.Hour,
LogToFile: false,
EnableMetrics: true,
},
}
}
func (al *AuditLogger) logAccess(roleID, action, resource, result, details string) {
al.mu.Lock()
defer al.mu.Unlock()
entry := &AuditEntry{
ID: fmt.Sprintf("%d", time.Now().UnixNano()),
Timestamp: time.Now(),
RoleID: roleID,
Action: action,
Resource: resource,
Result: result,
Details: details,
Context: map[string]interface{}{},
}
al.entries = append(al.entries, entry)
// Trim old entries if necessary
if len(al.entries) > al.config.MaxEntries {
al.entries = al.entries[1:]
}
}
func (al *AuditLogger) GetAuditLog(limit int) []*AuditEntry {
al.mu.Lock()
defer al.mu.Unlock()
if limit <= 0 || limit > len(al.entries) {
limit = len(al.entries)
}
// Return most recent entries
start := len(al.entries) - limit
return al.entries[start:]
}
// Placeholder implementations for role-specific insight generators
// These would be fully implemented with sophisticated logic in production
type ArchitectInsightGenerator struct{}
func NewArchitectInsightGenerator() *ArchitectInsightGenerator { return &ArchitectInsightGenerator{} }
func (aig *ArchitectInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) {
return []*RoleSpecificInsight{
{
ID: "arch_001",
RoleID: role.ID,
Category: "architecture",
Title: "Architectural Assessment",
Content: fmt.Sprintf("Component %s appears to follow good architectural patterns", node.Path),
Confidence: 0.8,
Priority: 7,
SecurityLevel: 5,
GeneratedAt: time.Now(),
},
}, nil
}
func (aig *ArchitectInsightGenerator) GetSupportedRoles() []string { return []string{"architect"} }
func (aig *ArchitectInsightGenerator) GetInsightTypes() []string { return []string{"architecture", "design", "patterns"} }
func (aig *ArchitectInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil }
type DeveloperInsightGenerator struct{}
func NewDeveloperInsightGenerator() *DeveloperInsightGenerator { return &DeveloperInsightGenerator{} }
func (dig *DeveloperInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) {
return []*RoleSpecificInsight{
{
ID: "dev_001",
RoleID: role.ID,
Category: "implementation",
Title: "Code Quality Assessment",
Content: fmt.Sprintf("Code in %s follows good practices", node.Path),
Confidence: 0.7,
Priority: 6,
SecurityLevel: 3,
GeneratedAt: time.Now(),
},
}, nil
}
func (dig *DeveloperInsightGenerator) GetSupportedRoles() []string { return []string{"developer"} }
func (dig *DeveloperInsightGenerator) GetInsightTypes() []string { return []string{"code_quality", "implementation", "bugs"} }
func (dig *DeveloperInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil }
type SecurityInsightGenerator struct{}
func NewSecurityInsightGenerator() *SecurityInsightGenerator { return &SecurityInsightGenerator{} }
func (sig *SecurityInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) {
return []*RoleSpecificInsight{
{
ID: "sec_001",
RoleID: role.ID,
Category: "security",
Title: "Security Assessment",
Content: fmt.Sprintf("No obvious security issues found in %s", node.Path),
Confidence: 0.9,
Priority: 9,
SecurityLevel: 8,
GeneratedAt: time.Now(),
},
}, nil
}
func (sig *SecurityInsightGenerator) GetSupportedRoles() []string { return []string{"security_analyst"} }
func (sig *SecurityInsightGenerator) GetInsightTypes() []string { return []string{"security", "vulnerability", "compliance"} }
func (sig *SecurityInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil }
type DevOpsInsightGenerator struct{}
func NewDevOpsInsightGenerator() *DevOpsInsightGenerator { return &DevOpsInsightGenerator{} }
func (doig *DevOpsInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) {
return []*RoleSpecificInsight{
{
ID: "devops_001",
RoleID: role.ID,
Category: "infrastructure",
Title: "Infrastructure Assessment",
Content: fmt.Sprintf("Component %s appears deployable", node.Path),
Confidence: 0.6,
Priority: 5,
SecurityLevel: 4,
GeneratedAt: time.Now(),
},
}, nil
}
func (doig *DevOpsInsightGenerator) GetSupportedRoles() []string { return []string{"devops_engineer"} }
func (doig *DevOpsInsightGenerator) GetInsightTypes() []string { return []string{"infrastructure", "deployment", "monitoring"} }
func (doig *DevOpsInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil }
type QAInsightGenerator struct{}
func NewQAInsightGenerator() *QAInsightGenerator { return &QAInsightGenerator{} }
func (qaig *QAInsightGenerator) GenerateInsights(ctx context.Context, node *slurpContext.ContextNode, role *Role) ([]*RoleSpecificInsight, error) {
return []*RoleSpecificInsight{
{
ID: "qa_001",
RoleID: role.ID,
Category: "quality",
Title: "Quality Assessment",
Content: fmt.Sprintf("Component %s meets quality standards", node.Path),
Confidence: 0.75,
Priority: 4,
SecurityLevel: 3,
GeneratedAt: time.Now(),
},
}, nil
}
func (qaig *QAInsightGenerator) GetSupportedRoles() []string { return []string{"qa_engineer"} }
func (qaig *QAInsightGenerator) GetInsightTypes() []string { return []string{"quality", "testing", "validation"} }
func (qaig *QAInsightGenerator) ValidateContext(node *slurpContext.ContextNode, role *Role) error { return nil }
Reference in New Issue View Git Blame Copy Permalink