feat(privacy,safety,telemetry): add consent ledger API (hash-chained), safety pipeline (pre/steer/post), telemetry placeholder; wire into SSE stream and chat UI

OneFineStarstuff · OneFineStarstuff · commit d454d209cd5e · 2025-09-12T16:23:39.000Z
diff --git a/next-app/app/api/chat/stream/route.ts b/next-app/app/api/chat/stream/route.ts
@@ -8,13 +8,18 @@ function* fakeStream(text: string) {
   }
 }
 
+import { preFilter, steerPrompt, postModerate } from '@/lib/safety/pipeline';
+
 function streamForMessage(message: string) {
   const ctrl = new AbortController();
   const stream = new ReadableStream<Uint8Array>({
     async start(controller) {
       try {
-        const reply = `Echo: ${message}`;
-        const meta = { layer: 'surface', model: 'mock', version: '0.0.1', latencyMs: 42 };
+        const pre = preFilter(message);
+        const safePrompt = steerPrompt(message);
+        const reply = `Echo: ${safePrompt}`;
+        const post = postModerate(reply);
+        const meta = { layer: 'surface', model: 'mock', version: '0.0.1', latencyMs: 42, pre, post };
         controller.enqueue(encode(`event: meta\ndata: ${JSON.stringify(meta)}\n\n`));
         for (const chunk of fakeStream(reply)) {
           await new Promise(r => setTimeout(r, 10));
diff --git a/next-app/app/api/consent/route.ts b/next-app/app/api/consent/route.ts
@@ -0,0 +1,18 @@
+import { NextRequest } from 'next/server';
+import { appendConsentEvent, exportConsent } from '@/lib/privacy/consentLedger';
+
+export const runtime = 'nodejs';
+
+export async function POST(req: NextRequest) {
+  const { userId = 'demo', sessionId, action } = await req.json();
+  if (!['persist_on','persist_off','export'].includes(action)) return new Response('bad action', { status: 400 });
+  const ev = await appendConsentEvent({ userId, sessionId, action, ts: new Date().toISOString() as any });
+  return Response.json(ev);
+}
+
+export async function GET(req: NextRequest) {
+  const { searchParams } = new URL(req.url);
+  const userId = searchParams.get('userId') ?? 'demo';
+  const data = await exportConsent(userId);
+  return Response.json(data);
+}
diff --git a/next-app/app/chat/page.tsx b/next-app/app/chat/page.tsx
@@ -49,7 +49,7 @@ export default function ChatPage() {
 
   return (
     <div className="space-y-4">
-      <h1 className="text-2xl font-semibold">Chat</h1>
+      <h1 className="text-2xl font-semibold">Chat <span className="text-xs align-middle text-slate-500">(ephemeral by default)</span></h1>
       <div className="rounded border bg-white p-3">
         <div className="space-y-3" role="log" aria-live="polite">
           {messages.map((m, i) => (
@@ -63,10 +63,11 @@ export default function ChatPage() {
             </div>
           ))}
         </div>
-        <div className="mt-3 flex gap-2">
+        <div className="mt-3 flex flex-wrap items-center gap-2">
           <input value={input} onChange={e=>setInput(e.target.value)} className="flex-1 rounded border px-3 py-2" placeholder="Type a message..." />
           <button onClick={send} disabled={streaming} className="rounded bg-amber-600 px-4 py-2 text-white disabled:opacity-50">Send</button>
           {fallback && <span className="text-xs text-slate-500">Fallback in use</span>}
+          <a href="/api/consent?userId=demo" target="_blank" className="text-xs text-amber-700 underline">Export consent ledger</a>
         </div>
       </div>
     </div>
diff --git a/next-app/lib/privacy/consentLedger.ts b/next-app/lib/privacy/consentLedger.ts
@@ -0,0 +1,50 @@
+import crypto from 'crypto';
+import fs from 'fs/promises';
+import path from 'path';
+
+export type ConsentAction = 'persist_on' | 'persist_off' | 'export';
+export type ConsentEvent = { userId: string; sessionId?: string; action: ConsentAction; ts: string; prevHash?: string; hash?: string };
+
+const DATA_DIR = path.join(process.cwd(), 'next-app', '.data', 'consent');
+
+export async function appendConsentEvent(e: Omit<ConsentEvent, 'hash' | 'prevHash'>) {
+  await fs.mkdir(DATA_DIR, { recursive: true });
+  const chainFile = path.join(DATA_DIR, `${e.userId}.jsonl`);
+  let prevHash: string | undefined;
+  try {
+    const last = await tailLastLine(chainFile);
+    if (last) prevHash = JSON.parse(last).hash;
+  } catch {}
+  const event: ConsentEvent = { ...e, prevHash, ts: e.ts ?? new Date().toISOString() };
+  event.hash = hashEvent(event);
+  await fs.appendFile(chainFile, JSON.stringify(event) + '\n', 'utf8');
+  return event;
+}
+
+export function hashEvent(e: ConsentEvent) {
+  const s = `${e.userId}|${e.sessionId ?? ''}|${e.action}|${e.ts}|${e.prevHash ?? ''}`;
+  return crypto.createHash('sha256').update(s).digest('hex');
+}
+
+export async function exportConsent(userId: string) {
+  const chainFile = path.join(DATA_DIR, `${userId}.jsonl`);
+  try {
+    const raw = await fs.readFile(chainFile, 'utf8');
+    const events = raw.trim().split('\n').map((l) => JSON.parse(l) as ConsentEvent);
+    return { events, root: events.at(-1)?.hash };
+  } catch (e: any) {
+    if (e.code === 'ENOENT') return { events: [], root: undefined };
+    throw e;
+  }
+}
+
+async function tailLastLine(file: string): Promise<string | null> {
+  try {
+    const data = await fs.readFile(file, 'utf8');
+    const lines = data.trim().split('\n');
+    return lines.length ? lines[lines.length - 1] : null;
+  } catch (e: any) {
+    if (e.code === 'ENOENT') return null;
+    throw e;
+  }
+}
diff --git a/next-app/lib/safety/pipeline.ts b/next-app/lib/safety/pipeline.ts
@@ -0,0 +1,18 @@
+export type ModerationAction = 'allow' | 'block' | 'revise';
+export type ModerationEvent = { stage: 'pre' | 'post'; action: ModerationAction; reason?: string };
+
+const SENSITIVE = /(ssn|password|credit\s*card|cvv)/i;
+
+export function preFilter(input: string): ModerationEvent {
+  if (SENSITIVE.test(input)) return { stage: 'pre', action: 'revise', reason: 'redact_sensitive' };
+  return { stage: 'pre', action: 'allow' };
+}
+
+export function steerPrompt(input: string): string {
+  return `Policy: Be safe and helpful. Avoid unsafe advice.\n${input}`;
+}
+
+export function postModerate(output: string): ModerationEvent {
+  if (/violent|illegal/i.test(output)) return { stage: 'post', action: 'block', reason: 'unsafe_content' };
+  return { stage: 'post', action: 'allow' };
+}
diff --git a/next-app/lib/telemetry/record.ts b/next-app/lib/telemetry/record.ts
@@ -0,0 +1,5 @@
+export type ProviderMeta = { provider?: string; model?: string; layer?: string; version?: string; tokensIn?: number; tokensOut?: number; latencyMs?: number; tools?: any[] };
+export async function recordProviderInvocation(sessionId: string | undefined, meta: ProviderMeta) {
+  // Placeholder: in MVP, just log to console; integrate with OTel/PostHog later
+  console.log('provider_invocation', { sessionId, ...meta });
+}
