@jaguilar87/gaia-ops 4.4.0 → 4.7.2

package/dist/gaia-security/hooks/modules/audit/event_detector.py

@@ -0,0 +1,168 @@
+"""
+Critical event detection.
+
+Detects events that warrant context updates:
+- Git commits
+- Git pushes
+- File modifications
+"""
+
+import re
+import logging
+from enum import Enum
+from typing import Dict, Any, Optional, List
+from dataclasses import dataclass
+from datetime import datetime
+
+logger = logging.getLogger(__name__)
+
+
+class EventType(str, Enum):
+    """Types of critical events."""
+    GIT_COMMIT = "git_commit"
+    GIT_PUSH = "git_push"
+    FILE_MODIFICATIONS = "file_modifications"
+
+
+@dataclass
+class CriticalEvent:
+    """A detected critical event."""
+    event_type: EventType
+    data: Dict[str, Any]
+    timestamp: str = ""
+
+    def __post_init__(self):
+        if not self.timestamp:
+            self.timestamp = datetime.now().isoformat()
+
+    def to_dict(self) -> Dict[str, Any]:
+        return {
+            "event_type": self.event_type.value,
+            "timestamp": self.timestamp,
+            **self.data,
+        }
+
+
+class CriticalEventDetector:
+    """Detect critical events that warrant context updates."""
+
+    def detect_git_commit(
+        self,
+        tool_name: str,
+        parameters: Dict[str, Any],
+        result: Any,
+        success: bool
+    ) -> Optional[CriticalEvent]:
+        """Detect successful git commit."""
+        if not success or tool_name.lower() != "bash":
+            return None
+
+        command = parameters.get("command", "")
+        if "git commit" not in command or not result:
+            return None
+
+        result_str = str(result)
+
+        # Extract commit hash
+        commit_hash = ""
+        match = re.search(r'\[[\w\-/]+ ([a-f0-9]{7,})\]', result_str)
+        if match:
+            commit_hash = match.group(1)
+
+        # Extract commit message
+        commit_message = ""
+        if commit_hash:
+            msg_match = re.search(
+                r'\[[\w\-/]+ [a-f0-9]{7,}\]\s*(.+)',
+                result_str,
+                re.MULTILINE
+            )
+            if msg_match:
+                commit_message = msg_match.group(1).strip().split('\n')[0]
+
+        return CriticalEvent(
+            event_type=EventType.GIT_COMMIT,
+            data={
+                "commit_hash": commit_hash,
+                "commit_message": commit_message,
+                "command": command,
+            }
+        )
+
+    def detect_git_push(
+        self,
+        tool_name: str,
+        parameters: Dict[str, Any],
+        result: Any,
+        success: bool
+    ) -> Optional[CriticalEvent]:
+        """Detect successful git push."""
+        if not success or tool_name.lower() != "bash":
+            return None
+
+        command = parameters.get("command", "")
+        if "git push" not in command or not result:
+            return None
+
+        result_str = str(result)
+
+        # Extract branch info
+        branch = ""
+        match = re.search(
+            r'To .+\n\s+[a-f0-9]+\.\.[a-f0-9]+\s+([\w\-/]+)\s+->',
+            result_str
+        )
+        if match:
+            branch = match.group(1)
+
+        return CriticalEvent(
+            event_type=EventType.GIT_PUSH,
+            data={
+                "branch": branch,
+                "command": command,
+            }
+        )
+
+    def detect_all(
+        self,
+        tool_name: str,
+        parameters: Dict[str, Any],
+        result: Any = None,
+        success: bool = True
+    ) -> List[CriticalEvent]:
+        """Run all detectors and return found events."""
+        events = []
+
+        # Git commit
+        event = self.detect_git_commit(tool_name, parameters, result, success)
+        if event:
+            events.append(event)
+
+        # Git push
+        event = self.detect_git_push(tool_name, parameters, result, success)
+        if event:
+            events.append(event)
+
+        return events
+
+
+# Singleton detector
+_detector: Optional[CriticalEventDetector] = None
+
+
+def get_detector() -> CriticalEventDetector:
+    """Get singleton event detector."""
+    global _detector
+    if _detector is None:
+        _detector = CriticalEventDetector()
+    return _detector
+
+
+def detect_critical_event(
+    tool_name: str,
+    parameters: Dict[str, Any],
+    result: Any = None,
+    success: bool = True
+) -> List[CriticalEvent]:
+    """Detect critical events (convenience function)."""
+    return get_detector().detect_all(tool_name, parameters, result, success)

package/dist/gaia-security/hooks/modules/audit/logger.py

@@ -0,0 +1,131 @@
+"""
+Audit logger for tool executions.
+
+Logs all tool executions to daily audit log files.
+Note: session-<id>.jsonl was removed — it duplicated the daily audit log
+with no additional value (session_id was always "default").
+"""
+
+import os
+import json
+import logging
+from pathlib import Path
+from datetime import datetime
+from typing import Dict, Any, Optional
+
+from ..core.paths import get_logs_dir
+from ..core.state import get_session_id
+
+logger = logging.getLogger(__name__)
+
+
+class AuditLogger:
+    """Audit logger for tracking all tool executions."""
+
+    def __init__(self, log_dir: Optional[Path] = None):
+        """
+        Initialize audit logger.
+
+        Args:
+            log_dir: Override log directory (for testing)
+        """
+        if log_dir is not None:
+            self.log_dir = Path(log_dir) if isinstance(log_dir, str) else log_dir
+        else:
+            self.log_dir = get_logs_dir()
+        self.log_dir.mkdir(parents=True, exist_ok=True)
+        self.session_id = get_session_id()
+
+    def log_execution(
+        self,
+        tool_name: str,
+        parameters: Dict[str, Any],
+        result: Any,
+        duration: float,
+        exit_code: int = 0,
+        tier: str = "unknown"
+    ) -> None:
+        """
+        Log tool execution details.
+
+        Args:
+            tool_name: Name of the tool
+            parameters: Tool parameters
+            result: Execution result
+            duration: Duration in seconds
+            exit_code: Exit code (0 = success)
+            tier: Security tier
+        """
+        timestamp = datetime.now().isoformat()
+
+        # Extract command for bash tools
+        command = ""
+        if tool_name.lower() == "bash":
+            command = parameters.get("command", "")
+
+        # Create audit record
+        audit_record = {
+            "timestamp": timestamp,
+            "session_id": self.session_id,
+            "tool_name": tool_name,
+            "command": command,
+            "parameters": self._sanitize_params(parameters),
+            "duration_ms": round(duration * 1000, 2),
+            "exit_code": exit_code,
+            "tier": tier,
+        }
+
+        # Write to daily audit log (session log removed — was always "session-default.jsonl")
+        daily_log_file = self.log_dir / f"audit-{datetime.now().strftime('%Y-%m-%d')}.jsonl"
+        self._write_record(daily_log_file, audit_record)
+
+        logger.debug(f"Logged execution: {tool_name} - {command[:50]} - {duration:.2f}s")
+
+    def _sanitize_params(self, parameters: Dict[str, Any]) -> Dict[str, Any]:
+        """Remove sensitive data from parameters."""
+        sanitized = {}
+        sensitive_keys = ["password", "secret", "token", "key", "credential"]
+
+        for key, value in parameters.items():
+            if any(s in key.lower() for s in sensitive_keys):
+                sanitized[key] = "[REDACTED]"
+            elif isinstance(value, str) and len(value) > 500:
+                sanitized[key] = value[:500] + "...[truncated]"
+            else:
+                sanitized[key] = value
+
+        return sanitized
+
+    def _write_record(self, file_path: Path, record: Dict) -> None:
+        """Write record to JSONL file."""
+        try:
+            with open(file_path, "a") as f:
+                f.write(json.dumps(record) + "\n")
+        except Exception as e:
+            logger.error(f"Error writing audit record to {file_path}: {e}")
+
+
+# Singleton logger
+_audit_logger: Optional[AuditLogger] = None
+
+
+def get_audit_logger() -> AuditLogger:
+    """Get singleton audit logger."""
+    global _audit_logger
+    if _audit_logger is None:
+        _audit_logger = AuditLogger()
+    return _audit_logger
+
+
+def log_execution(
+    tool_name: str,
+    parameters: Dict[str, Any],
+    result: Any,
+    duration: float,
+    exit_code: int = 0,
+    tier: str = "unknown"
+) -> None:
+    """Log tool execution (convenience function)."""
+    get_audit_logger().log_execution(
+        tool_name, parameters, result, duration, exit_code, tier
+    )

package/dist/gaia-security/hooks/modules/audit/metrics.py

@@ -0,0 +1,134 @@
+"""
+Metrics aggregation from audit logs.
+
+Reads audit-*.jsonl files (the single source of truth for execution data)
+and produces aggregated summaries. No write path — audit/logger.py owns writes.
+"""
+
+import json
+import logging
+from pathlib import Path
+from datetime import datetime, timedelta
+from typing import Dict, Any, List, Optional
+from collections import defaultdict
+
+from ..core.paths import get_logs_dir
+
+logger = logging.getLogger(__name__)
+
+
+def _classify_command(command: str) -> str:
+    """Classify command type for metrics aggregation."""
+    command_lower = command.lower()
+    classifiers = [
+        ("terraform", "terraform"),
+        ("kubectl", "kubernetes"),
+        ("helm", "helm"),
+        ("gcloud", "gcp"),
+        ("aws", "aws"),
+        ("flux", "flux"),
+        ("docker", "docker"),
+        ("git", "git"),
+    ]
+    for keyword, classification in classifiers:
+        if keyword in command_lower:
+            return classification
+    return "general"
+
+
+def _load_audit_records_since(
+    logs_dir: Path, cutoff_date: datetime
+) -> List[Dict]:
+    """Load audit records from audit-*.jsonl files since cutoff date."""
+    records = []
+
+    try:
+        audit_files = list(logs_dir.glob("audit-*.jsonl"))
+    except Exception as e:
+        logger.error(f"Error listing audit files: {e}")
+        return records
+
+    for audit_file in audit_files:
+        try:
+            with open(audit_file, "r") as f:
+                for line in f:
+                    line = line.strip()
+                    if not line:
+                        continue
+                    try:
+                        record = json.loads(line)
+                        record_time = datetime.fromisoformat(
+                            record.get("timestamp", "")
+                        )
+                        if record_time >= cutoff_date:
+                            records.append(record)
+                    except (json.JSONDecodeError, ValueError):
+                        continue
+        except Exception as e:
+            logger.debug(f"Error reading {audit_file}: {e}")
+
+    return records
+
+
+def generate_summary(
+    days: int = 7, logs_dir: Optional[Path] = None
+) -> Dict[str, Any]:
+    """
+    Generate metrics summary from audit logs for the last N days.
+
+    Args:
+        days: Number of days to include
+        logs_dir: Override logs directory (for testing)
+
+    Returns:
+        Dictionary with aggregated metrics:
+        - period_days, total_executions, avg_duration_ms
+        - top_commands (by classified command_type)
+        - tier_distribution, command_type_distribution
+    """
+    if logs_dir is None:
+        logs_dir = get_logs_dir()
+
+    cutoff_date = datetime.now() - timedelta(days=days)
+    records = _load_audit_records_since(logs_dir, cutoff_date)
+
+    if not records:
+        return {
+            "period_days": days,
+            "total_executions": 0,
+            "avg_duration_ms": 0.0,
+            "top_commands": [],
+            "tier_distribution": {},
+            "command_type_distribution": {},
+        }
+
+    total = len(records)
+    total_duration = sum(r.get("duration_ms", 0) for r in records)
+
+    # Classify commands from audit log 'command' field
+    command_types = defaultdict(int)
+    for r in records:
+        cmd = r.get("command", "")
+        command_types[_classify_command(cmd)] += 1
+
+    # Count by tier
+    tiers = defaultdict(int)
+    for r in records:
+        tiers[r.get("tier", "unknown")] += 1
+
+    # Top command types
+    top_commands = sorted(
+        command_types.items(),
+        key=lambda x: x[1],
+        reverse=True,
+    )[:10]
+
+    return {
+        "period_days": days,
+        "total_executions": total,
+        "avg_duration_ms": round(total_duration / total, 2) if total > 0 else 0.0,
+        "top_commands": [{"type": t, "count": c} for t, c in top_commands],
+        "tier_distribution": dict(tiers),
+        "command_type_distribution": dict(command_types),
+        "generated_at": datetime.now().isoformat(),
+    }