aidp 0.33.0 → 0.34.1

data/lib/aidp/security/watch_mode_handler.rb

@@ -0,0 +1,306 @@
+# frozen_string_literal: true
+
+module Aidp
+  module Security
+    # Handles security policy violations in watch mode with fail-forward logic
+    # When a Rule of Two violation occurs, attempts to find alternative approaches
+    # using AGD/ZFC before failing. If no path forward, adds a comment and label.
+    #
+    # Fail-forward flow:
+    # 1. Security violation detected
+    # 2. Attempt to convert to compliant operation (up to max_retry_attempts)
+    #    - Try using secrets proxy instead of direct credential access
+    #    - Try sanitizing untrusted input
+    #    - Try deferring egress operations
+    # 3. If all attempts fail, add PR/issue comment and aidp-needs-input label
+    class WatchModeHandler
+      DEFAULT_MAX_RETRY_ATTEMPTS = 3
+      DEFAULT_NEEDS_INPUT_LABEL = "aidp-needs-input"
+
+      attr_reader :config, :repository_client
+
+      def initialize(repository_client:, config: {})
+        @repository_client = repository_client
+        @config = normalize_config(config)
+        @retry_counts = {}
+      end
+
+      # Handle a security policy violation
+      # @param violation [PolicyViolation] The violation that occurred
+      # @param context [Hash] Context about the operation
+      #   - :issue_number or :pr_number - The issue/PR number
+      #   - :work_unit_id - The work unit identifier
+      #   - :operation - The operation that was attempted
+      # @return [Hash] Result of handling: { recovered: bool, action: symbol, message: string }
+      def handle_violation(violation, context:)
+        work_unit_id = context[:work_unit_id] || "unknown"
+        issue_or_pr_number = context[:issue_number] || context[:pr_number]
+
+        Aidp.log_debug("security.watch_handler", "handling_violation",
+          work_unit_id: work_unit_id,
+          flag: violation.flag,
+          source: violation.source)
+
+        # Increment retry count for this work unit
+        @retry_counts[work_unit_id] ||= 0
+        @retry_counts[work_unit_id] += 1
+        retry_count = @retry_counts[work_unit_id]
+
+        if retry_count <= max_retry_attempts
+          # Attempt to find alternative approach
+          result = attempt_fail_forward(violation, context, retry_count)
+
+          if result[:recovered]
+            Aidp.log_info("security.watch_handler", "violation_recovered",
+              work_unit_id: work_unit_id,
+              attempt: retry_count,
+              strategy: result[:strategy])
+            return result
+          end
+
+          # Not yet at max retries, will try again
+          Aidp.log_debug("security.watch_handler", "fail_forward_attempt_failed",
+            work_unit_id: work_unit_id,
+            attempt: retry_count,
+            max_attempts: max_retry_attempts)
+
+          {
+            recovered: false,
+            action: :retry,
+            message: "Security violation, attempting alternative approach (#{retry_count}/#{max_retry_attempts})",
+            retry_count: retry_count
+          }
+        else
+          # Max retries exceeded - add comment and label
+          Aidp.log_warn("security.watch_handler", "max_retries_exceeded",
+            work_unit_id: work_unit_id,
+            retry_count: retry_count)
+
+          if issue_or_pr_number
+            add_security_comment_and_label(violation, context, issue_or_pr_number)
+          end
+
+          # Clear retry count
+          @retry_counts.delete(work_unit_id)
+
+          {
+            recovered: false,
+            action: :fail,
+            message: "Security policy violation cannot be resolved automatically. Manual intervention required.",
+            needs_input: true
+          }
+        end
+      end
+
+      # Reset retry count for a work unit (call on success or explicit reset)
+      def reset_retry_count(work_unit_id)
+        @retry_counts.delete(work_unit_id)
+      end
+
+      # Check if security handling is enabled
+      def enabled?
+        @config[:fail_forward_enabled] != false
+      end
+
+      private
+
+      def normalize_config(config)
+        {
+          max_retry_attempts: config[:max_retry_attempts] || config["max_retry_attempts"] || DEFAULT_MAX_RETRY_ATTEMPTS,
+          fail_forward_enabled: config.fetch(:fail_forward_enabled, config.fetch("fail_forward_enabled", true)),
+          needs_input_label: config[:needs_input_label] || config["needs_input_label"] || DEFAULT_NEEDS_INPUT_LABEL
+        }
+      end
+
+      def max_retry_attempts
+        @config[:max_retry_attempts]
+      end
+
+      def needs_input_label
+        @config[:needs_input_label]
+      end
+
+      # Attempt to find an alternative approach that doesn't violate Rule of Two
+      # Returns { recovered: bool, strategy: symbol, ... }
+      def attempt_fail_forward(violation, context, attempt_number)
+        # Determine which mitigation strategy to try based on the violation
+        strategies = build_mitigation_strategies(violation, context)
+
+        if attempt_number <= strategies.length
+          strategy = strategies[attempt_number - 1]
+          Aidp.log_debug("security.watch_handler", "trying_strategy",
+            strategy: strategy[:name],
+            attempt: attempt_number)
+
+          result = execute_strategy(strategy, violation, context)
+          return result if result[:recovered]
+        end
+
+        {recovered: false, strategy: nil}
+      end
+
+      # Build ordered list of mitigation strategies based on the violation type
+      def build_mitigation_strategies(violation, context)
+        strategies = []
+
+        case violation.flag
+        when :private_data
+          # Try using secrets proxy instead of direct access
+          strategies << {
+            name: :use_secrets_proxy,
+            description: "Route credential access through secrets proxy",
+            action: :convert_to_proxy_access
+          }
+
+        when :egress
+          # Try deferring egress operations
+          strategies << {
+            name: :defer_egress,
+            description: "Queue egress operation for later execution",
+            action: :queue_for_later
+          }
+
+        when :untrusted_input
+          # Try sanitizing the input
+          strategies << {
+            name: :sanitize_input,
+            description: "Sanitize untrusted input before processing",
+            action: :sanitize
+          }
+        end
+
+        # Add generic strategies
+        strategies << {
+          name: :use_deterministic_unit,
+          description: "Convert to deterministic unit (no agent call)",
+          action: :convert_to_deterministic
+        }
+
+        strategies << {
+          name: :request_trusted_context,
+          description: "Request elevated trust context",
+          action: :request_trust
+        }
+
+        strategies
+      end
+
+      # Execute a mitigation strategy
+      # In MVP, these strategies log the attempt but don't actually recover
+      # Future: integrate with AGD/ZFC for intelligent conversion
+      def execute_strategy(strategy, violation, context)
+        case strategy[:action]
+        when :convert_to_proxy_access
+          # Check if we can use secrets proxy
+          # MVP: Just check if proxy is available, don't actually convert
+          begin
+            Aidp::Security.secrets_proxy
+          rescue
+            false
+          end
+          {recovered: false, strategy: strategy[:name], reason: "Proxy conversion not yet implemented"}
+
+        when :queue_for_later
+          # Queue egress for manual execution
+          # MVP: Log the operation for manual review
+          Aidp.log_info("security.watch_handler", "egress_queued",
+            work_unit_id: context[:work_unit_id],
+            operation: context[:operation])
+          {recovered: false, strategy: strategy[:name], reason: "Egress queued for manual review"}
+
+        when :sanitize
+          # Input sanitization would require AGD/ZFC
+          # MVP: Not yet implemented
+          {recovered: false, strategy: strategy[:name], reason: "Input sanitization not yet implemented"}
+
+        when :convert_to_deterministic
+          # Converting to deterministic unit requires context about the operation
+          # MVP: Not yet implemented
+          {recovered: false, strategy: strategy[:name], reason: "Deterministic conversion not yet implemented"}
+
+        when :request_trust
+          # Trust elevation requires human intervention
+          {recovered: false, strategy: strategy[:name], reason: "Trust elevation requires manual approval"}
+
+        else
+          {recovered: false, strategy: nil, reason: "Unknown strategy"}
+        end
+      end
+
+      # Add a comment and label to the issue/PR indicating manual intervention is needed
+      def add_security_comment_and_label(violation, context, number)
+        is_pr = context.key?(:pr_number)
+
+        comment_body = build_security_comment(violation, context)
+
+        begin
+          # Add comment
+          if is_pr
+            @repository_client.add_pr_comment(number, comment_body)
+          else
+            @repository_client.add_issue_comment(number, comment_body)
+          end
+
+          # Add label
+          @repository_client.add_labels(number, [needs_input_label])
+
+          Aidp.log_info("security.watch_handler", "needs_input_posted",
+            number: number,
+            is_pr: is_pr,
+            label: needs_input_label)
+        rescue => e
+          Aidp.log_error("security.watch_handler", "failed_to_post_needs_input",
+            number: number,
+            error: e.message)
+        end
+      end
+
+      # Build the comment explaining the security violation
+      def build_security_comment(violation, context)
+        <<~COMMENT
+          ## 🛡️ Security Policy Violation - Manual Intervention Required
+
+          AIDP encountered a **Rule of Two security violation** while processing this #{context.key?(:pr_number) ? "pull request" : "issue"}.
+
+          ### What happened
+
+          The requested operation would have enabled the "lethal trifecta" - a combination of:
+          - **Untrusted input** - Processing content from external sources
+          - **Private data access** - Access to secrets or credentials
+          - **Egress capability** - Ability to communicate externally
+
+          Allowing all three simultaneously creates a security risk where a compromised prompt could exfiltrate sensitive data.
+
+          ### Violation Details
+
+          - **Blocked flag**: `#{violation.flag}`
+          - **Source**: #{violation.source || "unknown"}
+          - **Work unit**: #{context[:work_unit_id] || "unknown"}
+
+          ### Current state
+          #{format_current_state(violation.current_state)}
+
+          ### What you can do
+
+          1. **Use the Secrets Proxy** - Register secrets and use proxy tokens instead of direct credential access
+          2. **Sanitize input** - Mark the input source as trusted (if appropriate)
+          3. **Defer egress** - Queue the external communication for manual execution
+          4. **Review and retry** - Modify the request to avoid the security conflict
+
+          ---
+          *This comment was added by AIDP security enforcement. Remove the `#{needs_input_label}` label after resolving.*
+        COMMENT
+      end
+
+      def format_current_state(state)
+        return "No state available" unless state.is_a?(Hash)
+
+        lines = []
+        lines << "- `untrusted_input`: #{state[:untrusted_input] ? "✓ enabled (#{state[:untrusted_input_source]})" : "✗ disabled"}"
+        lines << "- `private_data`: #{state[:private_data] ? "✓ enabled (#{state[:private_data_source]})" : "✗ disabled"}"
+        lines << "- `egress`: #{state[:egress] ? "✓ enabled (#{state[:egress_source]})" : "✗ disabled"}"
+        lines.join("\n")
+      end
+    end
+  end
+end

data/lib/aidp/security/work_loop_adapter.rb

@@ -0,0 +1,277 @@
+# frozen_string_literal: true
+
+module Aidp
+  module Security
+    # Adapts the Rule of Two security framework to the WorkLoopRunner
+    # Tracks trifecta state per work unit and enforces policy before agent calls
+    #
+    # Integration points:
+    # - Work unit start/end lifecycle
+    # - Untrusted input detection (issues, PRs, external data)
+    # - Egress detection (git operations, API calls)
+    # - Private data detection (registered secrets)
+    #
+    # Usage:
+    #   adapter = WorkLoopAdapter.new(project_dir: Dir.pwd)
+    #   adapter.begin_work_unit(work_unit_id: "unit_123", context: context)
+    #   adapter.check_agent_call_allowed!(operation: :git_push)
+    #   adapter.end_work_unit
+    class WorkLoopAdapter
+      attr_reader :project_dir, :config, :current_work_unit_id, :current_state
+
+      # Sources of untrusted input that trigger the untrusted_input flag
+      UNTRUSTED_SOURCES = %w[
+        github_issue
+        github_pr
+        github_comment
+        external_url
+        user_provided_url
+        webhook_payload
+      ].freeze
+
+      # Operations that constitute egress (external communication)
+      EGRESS_OPERATIONS = %w[
+        git_push
+        git_fetch
+        api_call
+        http_request
+        webhook_send
+        email_send
+        file_upload
+        pr_comment
+        issue_comment
+      ].freeze
+
+      def initialize(project_dir:, config: nil, enforcer: nil, secrets_proxy: nil)
+        @project_dir = project_dir
+        @config = config || load_security_config
+        @enforcer = enforcer || Aidp::Security.enforcer
+        @secrets_proxy = secrets_proxy || Aidp::Security.secrets_proxy
+        @current_work_unit_id = nil
+        @current_state = nil
+      end
+
+      # Check if security enforcement is enabled
+      def enabled?
+        rule_of_two_config = @config[:rule_of_two] || {}
+        rule_of_two_config.fetch(:enabled, true)
+      end
+
+      # Begin tracking a work unit
+      # @param work_unit_id [String] Unique identifier for the work unit
+      # @param context [Hash] Work context containing source information
+      # @return [TrifectaState] The state object for this work unit
+      def begin_work_unit(work_unit_id:, context: {})
+        return nil unless enabled?
+
+        @current_work_unit_id = work_unit_id
+        @current_state = @enforcer.begin_work_unit(work_unit_id: work_unit_id)
+
+        # Analyze context for untrusted input
+        detect_and_enable_untrusted_input(context)
+
+        Aidp.log_debug("security.adapter", "work_unit_started",
+          work_unit_id: work_unit_id,
+          initial_state: @current_state.to_h)
+
+        @current_state
+      end
+
+      # End tracking for current work unit
+      # @return [Hash] Final state summary
+      def end_work_unit
+        return nil unless enabled? && @current_work_unit_id
+
+        summary = @enforcer.end_work_unit(@current_work_unit_id)
+        @current_work_unit_id = nil
+        @current_state = nil
+
+        Aidp.log_debug("security.adapter", "work_unit_ended",
+          summary: summary)
+
+        summary
+      end
+
+      # Check if an agent call would be allowed and enable egress flag
+      # @param operation [String, Symbol] The type of operation (e.g., :git_push)
+      # @param requires_credentials [Boolean] Whether operation needs credentials
+      # @raise [PolicyViolation] if operation would violate Rule of Two
+      # @return [TrifectaState] The current state after enabling egress
+      def check_agent_call_allowed!(operation:, requires_credentials: false)
+        return @current_state unless enabled? && @current_state
+
+        operation_str = operation.to_s
+
+        # Check if this operation constitutes egress
+        if egress_operation?(operation_str)
+          begin
+            @current_state.enable(:egress, source: "agent_operation:#{operation_str}")
+          rescue PolicyViolation => e
+            Aidp.log_warn("security.adapter", "egress_blocked",
+              operation: operation_str,
+              reason: e.message,
+              current_state: @current_state.to_h)
+            raise
+          end
+        end
+
+        # If operation requires credentials, check if we can enable private_data
+        if requires_credentials
+          begin
+            @current_state.enable(:private_data, source: "credential_access:#{operation_str}")
+          rescue PolicyViolation => e
+            Aidp.log_warn("security.adapter", "credential_access_blocked",
+              operation: operation_str,
+              reason: e.message,
+              current_state: @current_state.to_h)
+            raise
+          end
+        end
+
+        @current_state
+      end
+
+      # Request credentials through the secrets proxy
+      # This enables the private_data flag and returns a short-lived token
+      # @param secret_name [String] The registered secret name
+      # @param scope [String] The intended use of this credential
+      # @return [Hash] Token details from the secrets proxy
+      # @raise [PolicyViolation] if credential access would violate Rule of Two
+      def request_credential(secret_name:, scope: nil)
+        unless enabled?
+          # If security is disabled, return direct access (legacy mode)
+          env_var = @secrets_proxy.registry.env_var_for(secret_name)
+          return {token: ENV[env_var], direct_access: true} if env_var
+
+          raise UnregisteredSecretError.new(secret_name: secret_name)
+        end
+
+        # Check if enabling private_data would violate Rule of Two
+        if @current_state&.would_create_trifecta?(:private_data)
+          raise PolicyViolation.new(
+            flag: :private_data,
+            source: "credential_request:#{secret_name}",
+            current_state: @current_state.to_h,
+            message: "Cannot access credentials for '#{secret_name}' - would create lethal trifecta"
+          )
+        end
+
+        # Enable private_data flag
+        @current_state&.enable(:private_data, source: "secrets_proxy:#{secret_name}")
+
+        # Request token from proxy
+        @secrets_proxy.request_token(secret_name: secret_name, scope: scope)
+      end
+
+      # Get a sanitized environment for agent execution
+      # Strips all registered secrets from the environment
+      # @return [Hash] Sanitized environment hash
+      def sanitized_environment
+        @secrets_proxy.sanitized_environment
+      end
+
+      # Execute a block with sanitized environment
+      # @yield The block to execute
+      # @return [Object] The result of the block
+      def with_sanitized_environment(&block)
+        @secrets_proxy.with_sanitized_environment(&block)
+      end
+
+      # Check if current state would allow enabling a flag
+      # @param flag [Symbol] :untrusted_input, :private_data, or :egress
+      # @return [Hash] { allowed: boolean, reason: string }
+      def would_allow?(flag)
+        return {allowed: true, reason: "Security disabled"} unless enabled?
+        return {allowed: true, reason: "No active work unit"} unless @current_state
+
+        if @current_state.would_create_trifecta?(flag)
+          {
+            allowed: false,
+            reason: "Would create lethal trifecta",
+            current_state: @current_state.to_h
+          }
+        else
+          {
+            allowed: true,
+            reason: "Operation allowed",
+            enabled_count: @current_state.enabled_count
+          }
+        end
+      end
+
+      # Get current security status for display
+      def status
+        return {enabled: false} unless enabled?
+
+        {
+          enabled: true,
+          active_work_unit: @current_work_unit_id,
+          state: @current_state&.to_h,
+          status_string: @current_state&.status_string || "No active work unit"
+        }
+      end
+
+      private
+
+      def load_security_config
+        Aidp::Config.security_config(@project_dir)
+      rescue
+        {} # Fallback to empty config
+      end
+
+      # Detect untrusted input sources in the context
+      def detect_and_enable_untrusted_input(context)
+        sources = []
+
+        # Check for GitHub issue source
+        if context[:issue_number] || context[:issue_url] || context.dig(:issue, :number)
+          sources << "github_issue"
+        end
+
+        # Check for GitHub PR source
+        if context[:pr_number] || context[:pr_url] || context.dig(:pull_request, :number)
+          sources << "github_pr"
+        end
+
+        # Check for external URL input
+        if context[:external_url] || context[:user_url]
+          sources << "external_url"
+        end
+
+        # Check for webhook payload
+        if context[:webhook_payload] || context[:webhook_event]
+          sources << "webhook_payload"
+        end
+
+        # Check for watch mode (processes untrusted issues/PRs)
+        if context[:workflow_type].to_s == "watch_mode"
+          sources << "watch_mode_untrusted_content"
+        end
+
+        # Enable untrusted_input if any sources detected
+        if sources.any?
+          source_description = sources.join(", ")
+          begin
+            @current_state.enable(:untrusted_input, source: source_description)
+            Aidp.log_debug("security.adapter", "untrusted_input_detected",
+              work_unit_id: @current_work_unit_id,
+              sources: sources)
+          rescue PolicyViolation => e
+            # This shouldn't happen at the start of a work unit
+            Aidp.log_error("security.adapter", "unexpected_policy_violation",
+              error: e.message)
+            raise
+          end
+        end
+      end
+
+      # Check if operation constitutes egress
+      def egress_operation?(operation)
+        EGRESS_OPERATIONS.include?(operation) ||
+          operation.start_with?("git_") ||
+          operation.start_with?("api_") ||
+          operation.start_with?("http_")
+      end
+    end
+  end
+end

data/lib/aidp/security.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+# Security module for AIDP - Implements "Rule of Two" security framework
+# Based on Meta's agentic security principles to prevent prompt injection attacks
+#
+# Core concept: Never enable more than two of three dangerous conditions:
+# 1. untrusted_input - Processing untrusted content (issues, PRs, external data)
+# 2. private_data    - Access to secrets, credentials, or sensitive data
+# 3. egress          - Ability to communicate externally (git push, API calls, etc.)
+#
+# When all three would be active ("lethal trifecta"), the operation is denied.
+
+# Error classes are defined in lib/aidp/errors.rb and aliased into this module
+require_relative "errors"
+require_relative "security/trifecta_state"
+require_relative "security/rule_of_two_enforcer"
+require_relative "security/secrets_registry"
+require_relative "security/secrets_proxy"
+require_relative "security/work_loop_adapter"
+require_relative "security/watch_mode_handler"
+
+module Aidp
+  module Security
+    class << self
+      # Get the global enforcer instance
+      def enforcer
+        @enforcer ||= RuleOfTwoEnforcer.new
+      end
+
+      # Get the global secrets registry
+      def secrets_registry
+        @secrets_registry ||= SecretsRegistry.new
+      end
+
+      # Get the global secrets proxy
+      def secrets_proxy
+        @secrets_proxy ||= SecretsProxy.new(registry: secrets_registry)
+      end
+
+      # Reset all security state (primarily for testing)
+      def reset!
+        @enforcer = nil
+        @secrets_registry = nil
+        @secrets_proxy = nil
+      end
+
+      # Check if security features are enabled
+      def enabled?(project_dir = Dir.pwd)
+        config = Aidp::Config.load(project_dir)
+        security_config = config[:security] || config["security"] || {}
+        rule_of_two_config = security_config[:rule_of_two] || security_config["rule_of_two"] || {}
+        rule_of_two_config[:enabled] != false # Default to enabled
+      end
+    end
+  end
+end

data/lib/aidp/setup/wizard.rb

@@ -23,6 +23,8 @@ module Aidp
       }.freeze
 
       attr_reader :project_dir, :prompt, :dry_run
+      # Expose state for testability
+      attr_reader :warnings, :existing_config, :config, :discovery_threads
 
       def initialize(project_dir = Dir.pwd, prompt: nil, dry_run: false)
         @project_dir = project_dir
@@ -105,8 +107,8 @@ module Aidp
         providers_dir = File.join(__dir__, "../providers")
         provider_files = Dir.glob("*.rb", base: providers_dir)
 
-        # Exclude base classes
-        excluded_files = ["base.rb"]
+        # Exclude base classes and non-provider utility files
+        excluded_files = ["base.rb", "adapter.rb", "capability_registry.rb", "error_taxonomy.rb"]
         provider_files -= excluded_files
 
         providers = {}

data/lib/aidp/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Aidp
-  VERSION = "0.33.0"
+  VERSION = "0.34.1"
 end