kelora 1.5.0

A command-line log analysis tool with embedded Rhai scripting
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350

//! Hashing and pseudonymization helpers for Rhai scripts.
//!
//! Includes fast hashes, cryptographic digests, and salted pseudonyms.

use argon2::password_hash::{Salt, SaltString};
use argon2::{Argon2, PasswordHasher};
use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
use hkdf::Hkdf;
use hmac::{Hmac, Mac};
use once_cell::sync::Lazy;
use rhai::Engine;
use sha2::{Digest, Sha256};
use std::collections::HashMap;
use std::sync::{Mutex, RwLock};
use xxhash_rust::xxh3::xxh3_64;

type HmacSha256 = Hmac<Sha256>;

/// Runtime configuration for hashing module
#[derive(Debug, Clone, Default)]
pub struct HashingRuntimeConfig {
    pub verbose: u8,
    pub use_emoji: bool,
}

static RUNTIME_CONFIG: Lazy<RwLock<HashingRuntimeConfig>> =
    Lazy::new(|| RwLock::new(HashingRuntimeConfig::default()));

/// Set runtime configuration for hashing functions
pub fn set_runtime_config(config: HashingRuntimeConfig) {
    let mut guard = RUNTIME_CONFIG
        .write()
        .expect("hashing runtime config poisoned");
    *guard = config;
}

/// Log pseudonym initialization (only on verbose level 2+)
fn log_pseudonym_init(message: &str) {
    let config = RUNTIME_CONFIG
        .read()
        .expect("hashing runtime config poisoned");
    if config.verbose >= 2 {
        let prefix = if config.use_emoji { "🔹" } else { "kelora:" };
        eprintln!("{} {}", prefix, message);
    }
}

/// Master key for pseudonymization (derived once at startup)
static MASTER_KEY: Lazy<MasterKeyState> = Lazy::new(|| {
    match std::env::var("KELORA_SECRET") {
        Ok(secret) if !secret.is_empty() => {
            match derive_master_key_from_secret(&secret) {
                Ok(key) => {
                    log_pseudonym_init("pseudonym: ON (stable; KELORA_SECRET)");
                    MasterKeyState::Stable(key)
                }
                Err(e) => {
                    // Always show fatal errors
                    eprintln!("kelora: pseudonym init failed: {}", e);
                    std::process::exit(1);
                }
            }
        }
        Ok(_) => {
            // Always show fatal errors
            eprintln!("kelora: KELORA_SECRET must not be empty");
            std::process::exit(1);
        }
        Err(_) => {
            // Generate ephemeral key
            let mut key = [0u8; 32];
            for byte in &mut key {
                *byte = fastrand::u8(..);
            }
            log_pseudonym_init("pseudonym: ON (ephemeral; not stable)");
            MasterKeyState::Ephemeral(key)
        }
    }
});

/// Domain-specific derived keys (cached)
static DOMAIN_KEYS: Lazy<Mutex<HashMap<String, [u8; 32]>>> =
    Lazy::new(|| Mutex::new(HashMap::new()));

enum MasterKeyState {
    Stable([u8; 32]),
    Ephemeral([u8; 32]),
}

impl MasterKeyState {
    fn as_bytes(&self) -> &[u8; 32] {
        match self {
            MasterKeyState::Stable(k) => k,
            MasterKeyState::Ephemeral(k) => k,
        }
    }
}

/// Derive master key from secret using Argon2id
fn derive_master_key_from_secret(secret: &str) -> Result<[u8; 32], String> {
    let argon2 = Argon2::new(
        argon2::Algorithm::Argon2id,
        argon2::Version::V0x13,
        argon2::Params::new(
            64 * 1024, // 64 MiB
            3,         // iterations
            1,         // parallelism
            Some(32),  // output length
        )
        .map_err(|e| format!("Argon2 params error: {}", e))?,
    );

    // Use fixed salt "kelora:v1:master"
    let salt = SaltString::encode_b64(b"kelora:v1:master")
        .map_err(|e| format!("Salt encoding error: {}", e))?;

    let hash = argon2
        .hash_password(secret.as_bytes(), Salt::try_from(salt.as_str()).unwrap())
        .map_err(|e| format!("Argon2 hashing error: {}", e))?;

    let hash_bytes = hash
        .hash
        .ok_or_else(|| "Argon2 produced no hash".to_string())?;

    let mut key = [0u8; 32];
    key.copy_from_slice(hash_bytes.as_bytes());
    Ok(key)
}

/// Derive domain-specific key using HKDF-SHA256
fn derive_domain_key(domain: &str) -> Result<[u8; 32], String> {
    // Check cache first
    {
        let cache = DOMAIN_KEYS.lock().unwrap();
        if let Some(key) = cache.get(domain) {
            return Ok(*key);
        }
    }

    let master = MASTER_KEY.as_bytes();
    let info = format!("kelora:v1:{}", domain);

    let hkdf = Hkdf::<Sha256>::new(None, master);
    let mut okm = [0u8; 32];
    hkdf.expand(info.as_bytes(), &mut okm)
        .map_err(|e| format!("HKDF expansion error: {}", e))?;

    // Cache the derived key
    {
        let mut cache = DOMAIN_KEYS.lock().unwrap();
        cache.insert(domain.to_string(), okm);
    }

    Ok(okm)
}

/// Generate pseudonym token using HMAC-SHA256
fn pseudonym_impl(value: &str, domain: &str) -> Result<String, Box<rhai::EvalAltResult>> {
    if domain.is_empty() {
        return Err("pseudonym: domain must be non-empty".into());
    }

    // Force initialization of master key (triggers logging)
    let _ = MASTER_KEY.as_bytes();

    let domain_key = derive_domain_key(domain)
        .map_err(|e| format!("pseudonym: domain key derivation failed: {}", e))?;

    // HMAC-SHA256(key=domain_key, data=domain || value)
    let mut mac =
        HmacSha256::new_from_slice(&domain_key).map_err(|e| format!("HMAC init error: {}", e))?;

    mac.update(domain.as_bytes());
    mac.update(value.as_bytes());

    let result = mac.finalize();
    let tag = result.into_bytes();

    // base64url encode (unpadded) and take first 24 chars
    let encoded = URL_SAFE_NO_PAD.encode(tag);
    Ok(encoded[..24].to_string())
}

/// Fast non-cryptographic hash for bucketing/sampling
/// Uses xxh3_64 for performance
fn bucket_impl(value: &str) -> i64 {
    xxh3_64(value.as_bytes()) as i64
}

/// Apply a named hash algorithm to input
/// Supported: "sha256" (default), "xxh3"
fn hash_impl(value: &str, algo: &str) -> Result<String, Box<rhai::EvalAltResult>> {
    let algo_lower = algo.to_lowercase();
    match algo_lower.as_str() {
        "sha256" => {
            let mut hasher = Sha256::new();
            hasher.update(value.as_bytes());
            Ok(hex::encode(hasher.finalize()))
        }
        "xxh3" => {
            let hash = xxh3_64(value.as_bytes());
            Ok(format!("{:016x}", hash))
        }
        _ => Err(format!("Unknown hash algorithm '{}'. Supported: sha256, xxh3", algo).into()),
    }
}

/// Wrapper for hash with default algorithm
fn hash_default_impl(value: &str) -> Result<String, Box<rhai::EvalAltResult>> {
    hash_impl(value, "sha256")
}

/// Register hashing functions with the Rhai engine
pub fn register_functions(engine: &mut Engine) {
    // bucket() - fast non-cryptographic hash for bucketing/sampling
    engine.register_fn("bucket", bucket_impl);

    // hash() - multi-algorithm hashing
    engine.register_fn("hash", hash_default_impl);
    engine.register_fn("hash", hash_impl);

    // pseudonym() - domain-separated pseudonymization
    engine.register_fn("pseudonym", pseudonym_impl);
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_bucket() {
        let result1 = bucket_impl("test");
        let result2 = bucket_impl("test");
        let result3 = bucket_impl("other");

        // Same input should produce same hash
        assert_eq!(result1, result2);
        // Different input should (probably) produce different hash
        assert_ne!(result1, result3);
    }

    #[test]
    fn test_hash_sha256() {
        let result = hash_impl("hello", "sha256").unwrap();
        assert_eq!(
            result,
            "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
        );
    }

    #[test]
    fn test_hash_xxh3() {
        let result = hash_impl("hello", "xxh3").unwrap();
        // xxh3 is deterministic, just verify it's a valid hex string
        assert_eq!(result.len(), 16);
        assert!(result.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn test_hash_unknown_algo() {
        let result = hash_impl("hello", "unknown");
        assert!(result.is_err());
    }

    #[test]
    fn test_hash_default() {
        let result = hash_default_impl("hello").unwrap();
        // Should default to sha256
        assert_eq!(
            result,
            "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
        );
    }

    #[test]
    fn test_pseudonym_empty_domain() {
        let result = pseudonym_impl("value", "");
        assert!(result.is_err());
        let err_msg = result.unwrap_err().to_string();
        assert!(err_msg.contains("domain must be non-empty"));
    }

    #[test]
    fn test_pseudonym_deterministic() {
        // Same value and domain should produce same token
        let result1 = pseudonym_impl("user123", "kelora:v1:email").unwrap();
        let result2 = pseudonym_impl("user123", "kelora:v1:email").unwrap();
        assert_eq!(result1, result2);
        assert_eq!(result1.len(), 24);
    }

    #[test]
    fn test_pseudonym_domain_separation() {
        // Same value, different domains should produce different tokens
        let result1 = pseudonym_impl("user123", "kelora:v1:email").unwrap();
        let result2 = pseudonym_impl("user123", "kelora:v1:ip").unwrap();
        assert_ne!(result1, result2);
    }

    #[test]
    fn test_pseudonym_different_values() {
        // Different values, same domain should produce different tokens
        let result1 = pseudonym_impl("user123", "kelora:v1:email").unwrap();
        let result2 = pseudonym_impl("user456", "kelora:v1:email").unwrap();
        assert_ne!(result1, result2);
    }

    #[test]
    fn test_pseudonym_output_format() {
        let result = pseudonym_impl("test", "kelora:v1:test").unwrap();
        // Should be exactly 24 characters
        assert_eq!(result.len(), 24);
        // Should only contain base64url characters (no padding)
        assert!(result
            .chars()
            .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_'));
        assert!(!result.contains('='));
    }

    #[test]
    fn test_rhai_integration() {
        let mut engine = rhai::Engine::new();
        register_functions(&mut engine);

        // Test bucket
        let result: i64 = engine.eval(r#"bucket("test")"#).unwrap();
        assert_eq!(result, bucket_impl("test"));

        // Test hash with default
        let result: String = engine.eval(r#"hash("hello")"#).unwrap();
        assert_eq!(
            result,
            "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
        );

        // Test hash with algo
        let result: String = engine.eval(r#"hash("hello", "xxh3")"#).unwrap();
        assert_eq!(result.len(), 16);

        // Test pseudonym
        let result: String = engine
            .eval(r#"pseudonym("user123", "kelora:v1:email")"#)
            .unwrap();
        assert_eq!(result.len(), 24);

        // Test pseudonym with empty domain
        let result = engine.eval::<String>(r#"pseudonym("user123", "")"#);
        assert!(result.is_err());
    }
}