@escher-dbai/rag-module/src/services/SecurityService.js

Enterprise RAG module with chat context storage, vector search, and session management. Complete chat history retrieval and streaming content extraction for Electron apps.

/**
 * Security Service - Handles privacy levels and data sanitization
 */
class SecurityService {
  constructor(configManager) {
    this.configManager = configManager;
  }

  /**
   * Format documents for external consumption based on privacy level
   * @param {Array} documents - Internal documents
   * @returns {Array} - Sanitized external identifiers
   */
  formatForExternal(documents) {
    const config = this.configManager.getConfig();
    const privacyLevel = config.privacyLevel || 'minimal-aws';
    
    return documents.map(doc => {
      if (privacyLevel === 'anonymous') {
        return { anonymousId: this._generateAnonymousId(doc.id) };
      } else {
        return this._extractMinimalCloudData(doc);
      }
    });
  }

  /**
   * Generate anonymous ID for a resource
   */
  _generateAnonymousId(resourceId) {
    // Simple hash-based anonymous ID generation
    const hash = require('crypto').createHash('sha256').update(resourceId).digest('hex');
    return 'res-' + hash.substring(0, 16);
  }

  /**
   * Extract minimal cloud data for functional privacy
   */
  _extractMinimalCloudData(document) {
    const metadata = document.metadata;
    const cloud = metadata.cloud;
    
    if (cloud === 'aws') {
      return {
        resourceId: this._extractResourceId(document.id, 'aws'),
        region: metadata.region,
        serviceType: metadata.service,
        cloud: 'aws'
      };
    } else if (cloud === 'azure') {
      return {
        resourceId: this._extractResourceId(document.id, 'azure'),
        region: metadata.region,
        serviceType: metadata.service,
        cloud: 'azure'
      };
    } else if (cloud === 'gcp') {
      return {
        resourceId: this._extractResourceId(document.id, 'gcp'),
        region: metadata.region,
        serviceType: metadata.service,
        cloud: 'gcp'
      };
    }
    
    return { anonymousId: this._generateAnonymousId(document.id) };
  }

  /**
   * Extract just the resource ID without account/subscription info
   */
  _extractResourceId(fullId, cloud) {
    switch (cloud) {
      case 'aws':
        // Extract instance ID, volume ID, etc. from ARN
        const arnParts = fullId.split(':');
        const resourcePart = arnParts[5] || '';
        return resourcePart.split('/').pop() || resourcePart;
      
      case 'azure':
        // Extract resource name from Azure resource ID
        return fullId.split('/').pop() || fullId;
      
      case 'gcp':
        // Extract resource name from GCP resource path
        return fullId.split('/').pop() || fullId;
      
      default:
        return fullId;
    }
  }
}

module.exports = SecurityService;