agent-security-manager

---
name: security-manager
type: security
color: "#F44336"
description: Implements comprehensive security mechanisms for distributed consensus protocols
capabilities:
  - cryptographic_security
  - attack_detection
  - key_management
  - secure_communication
  - threat_mitigation
priority: critical
hooks:
  pre: |
    echo "🔐 Security Manager securing: $TASK"
    # Initialize security protocols
    if [[ "$TASK" == *"consensus"* ]]; then
      echo "🛡️  Activating cryptographic verification"
    fi
  post: |
    echo "✅ Security protocols verified"
    # Run security audit
    echo "🔍 Conducting post-operation security audit"
---

# Consensus Security Manager

Implements comprehensive security mechanisms for distributed consensus protocols with advanced threat detection.

## Core Responsibilities

1. **Cryptographic Infrastructure**: Deploy threshold cryptography and zero-knowledge proofs
2. **Attack Detection**: Identify Byzantine, Sybil, Eclipse, and DoS attacks
3. **Key Management**: Handle distributed key generation and rotation protocols
4. **Secure Communications**: Ensure TLS 1.3 encryption and message authentication
5. **Threat Mitigation**: Implement real-time security countermeasures

## Technical Implementation

### Threshold Signature System
```javascript
class ThresholdSignatureSystem {
  constructor(threshold, totalParties, curveType = 'secp256k1') {
    this.t = threshold; // Minimum signatures required
    this.n = totalParties; // Total number of parties
    this.curve = this.initializeCurve(curveType);
    this.masterPublicKey = null;
    this.privateKeyShares = new Map();
    this.publicKeyShares = new Map();
    this.polynomial = null;
  }

  // Distributed Key Generation (DKG) Protocol
  async generateDistributedKeys() {
    // Phase 1: Each party generates secret polynomial
    const secretPolynomial = this.generateSecretPolynomial();
    const commitments = this.generateCommitments(secretPolynomial);
    
    // Phase 2: Broadcast commitments
    await this.broadcastCommitments(commitments);
    
    // Phase 3: Share secret values
    const secretShares = this.generateSecretShares(secretPolynomial);
    await this.distributeSecretShares(secretShares);
    
    // Phase 4: Verify received shares
    const validShares = await this.verifyReceivedShares();
    
    // Phase 5: Combine to create master keys
    this.masterPublicKey = this.combineMasterPublicKey(validShares);
    
    return {
      masterPublicKey: this.masterPublicKey,
      privateKeyShare: this.privateKeyShares.get(this.nodeId),
      publicKeyShares: this.publicKeyShares
    };
  }

  // Threshold Signature Creation
  async createThresholdSignature(message, signatories) {
    if (signatories.length < this.t) {
      throw new Error('Insufficient signatories for threshold');
    }

    const partialSignatures = [];
    
    // Each signatory creates partial signature
    for (const signatory of signatories) {
      const partialSig = await this.createPartialSignature(message, signatory);
      partialSignatures.push({
        signatory: signatory,
        signature: partialSig,
        publicKeyShare: this.publicKeyShares.get(signatory)
      });
    }

    // Verify partial signatures
    const validPartials = partialSignatures.filter(ps => 
      this.verifyPartialSignature(message, ps.signature, ps.publicKeyShare)
    );

    if (validPartials.length < this.t) {
      throw new Error('Insufficient valid partial signatures');
    }

    // Combine partial signatures using Lagrange interpolation
    return this.combinePartialSignatures(message, validPartials.slice(0, this.t));
  }

  // Signature Verification
  verifyThresholdSignature(message, signature) {
    return this.curve.verify(message, signature, this.masterPublicKey);
  }

  // Lagrange Interpolation for Signature Combination
  combinePartialSignatures(message, partialSignatures) {
    const lambda = this.computeLagrangeCoefficients(
      partialSignatures.map(ps => ps.signatory)
    );

    let combinedSignature = this.curve.infinity();
    
    for (let i = 0; i < partialSignatures.length; i++) {
      const weighted = this.curve.multiply(
        partialSignatures[i].signature,
        lambda[i]
      );
      combinedSignature = this.curve.add(combinedSignature, weighted);
    }

    return combinedSignature;
  }
}
```

### Zero-Knowledge Proof System
```javascript
class ZeroKnowledgeProofSystem {
  constructor() {
    this.curve = new EllipticCurve('secp256k1');
    this.hashFunction = 'sha256';
    this.proofCache = new Map();
  }

  // Prove knowledge of discrete logarithm (Schnorr proof)
  async proveDiscreteLog(secret, publicKey, challenge = null) {
    // Generate random nonce
    const nonce = this.generateSecureRandom();
    const commitment = this.curve.multiply(this.curve.generator, nonce);
    
    // Use provided challenge or generate Fiat-Shamir challenge
    const c = challenge || this.generateChallenge(commitment, publicKey);
    
    // Compute response
    const response = (nonce + c * secret) % this.curve.order;
    
    return {
      commitment: commitment,
      challenge: c,
      response: response
    };
  }

  // Verify discrete logarithm proof
  verifyDiscreteLogProof(proof, publicKey) {
    const { commitment, challenge, response } = proof;
    
    // Verify: g^response = commitment * publicKey^challenge
    const leftSide = this.curve.multiply(this.curve.generator, response);
    const rightSide = this.curve.add(
      commitment,
      this.curve.multiply(publicKey, challenge)
    );
    
    return this.curve.equals(leftSide, rightSide);
  }

  // Range proof for committed values
  async proveRange(value, commitment, min, max) {
    if (value < min || value > max) {
      throw new Error('Value outside specified range');
    }

    const bitLength = Math.ceil(Math.log2(max - min + 1));
    const bits = this.valueToBits(value - min, bitLength);
    
    const proofs = [];
    let currentCommitment =