@jaguilar87/gaia 5.0.2 → 5.0.5

package/dist/gaia-ops/tools/agentic-loop/record-iteration.py

@@ -1,223 +0,0 @@
-#!/usr/bin/env python3
-"""
-record-iteration.py
-
-Atomically update state.json and append to worklog.md after each iteration.
-The LLM never writes state.json directly — this script is the only writer.
-
-Usage:
-    python3 record-iteration.py \
-        --state-file state.json \
-        --worklog worklog.md \
-        --iteration 5 \
-        --metric-value 94.5 \
-        --status keep \
-        --description "Handle hyphenated verbs" \
-        --insight "delete-objects splits correctly" \
-        --next "Check camelCase+hyphen combined"
-
-    Optional flags:
-        --changed TEXT      What was modified (default: same as description)
-        --metric-name TEXT  Name of the metric recorded (default: "metric")
-
-Atomic write guarantee: state.json is written to a .tmp sibling, fsynced,
-then renamed over the original.  Either the full write lands or the original
-is untouched.
-"""
-
-from __future__ import annotations
-
-import argparse
-import json
-import os
-import sys
-import tempfile
-from datetime import datetime, timezone
-
-
-def load_state(path: str) -> dict:
-    """Load existing state.json or return an empty skeleton."""
-    if not os.path.exists(path):
-        return {
-            "iteration": 0,
-            "current_metric": None,
-            "best_metric": None,
-            "consecutive_discards": 0,
-            "pivot_count": 0,
-            "timestamp": None,
-            "status": None,
-        }
-    try:
-        with open(path, "r") as fh:
-            data = json.load(fh)
-        return data
-    except (OSError, json.JSONDecodeError) as exc:
-        print(f"error: cannot read state file '{path}': {exc}", file=sys.stderr)
-        sys.exit(1)
-
-
-def atomic_write_json(path: str, data: dict) -> None:
-    """Write *data* to *path* atomically using write-fsync-rename."""
-    dir_name = os.path.dirname(os.path.abspath(path))
-    # Use a temp file in the same directory so rename is on the same filesystem.
-    try:
-        fd, tmp_path = tempfile.mkstemp(dir=dir_name, suffix=".tmp")
-        try:
-            with os.fdopen(fd, "w") as fh:
-                json.dump(data, fh, indent=2)
-                fh.write("\n")
-                fh.flush()
-                os.fsync(fh.fileno())
-            os.replace(tmp_path, path)
-        except Exception:
-            # Clean up orphaned temp file on failure.
-            try:
-                os.unlink(tmp_path)
-            except OSError:
-                pass
-            raise
-    except OSError as exc:
-        print(f"error: atomic write to '{path}' failed: {exc}", file=sys.stderr)
-        sys.exit(1)
-
-
-def append_worklog(
-    path: str,
-    iteration: int,
-    description: str,
-    metric_name: str,
-    metric_value: float,
-    status: str,
-    changed: str,
-    insight: str,
-    next_step: str,
-    best_metric: float | None,
-) -> None:
-    """Append a structured run entry to worklog.md."""
-    status_upper = status.upper()
-
-    # Build result sentence
-    if best_metric is None:
-        result_text = f"{metric_name}={metric_value} (first run, no prior best)"
-    else:
-        comparison = (
-            f"improved from {best_metric}"
-            if metric_value > best_metric
-            else (
-                f"unchanged from {best_metric}"
-                if metric_value == best_metric
-                else f"regressed from {best_metric}"
-            )
-        )
-        result_text = f"{metric_name}={metric_value} ({comparison})"
-
-    entry = (
-        f"\n### Run {iteration}: {description} — {metric_name}={metric_value} ({status_upper})\n"
-        f"- **Changed:** {changed}\n"
-        f"- **Result:** {result_text}\n"
-        f"- **Insight:** {insight}\n"
-        f"- **Next:** {next_step}\n"
-    )
-
-    try:
-        with open(path, "a") as fh:
-            fh.write(entry)
-    except OSError as exc:
-        print(f"error: cannot append to worklog '{path}': {exc}", file=sys.stderr)
-        sys.exit(1)
-
-
-def main() -> None:
-    parser = argparse.ArgumentParser(
-        description="Atomically record an agentic-loop iteration into state.json and worklog.md.",
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-        epilog="""
-Status values:
-  keep     — metric improved; best is updated, consecutive_discards reset to 0
-  discard  — metric did not improve; consecutive_discards incremented
-  pivot    — forced strategy change (also increments pivot_count)
-  stop     — terminal state; loop should halt
-
-Exit codes:
-  0  success
-  1  error (message on stderr)
-        """,
-    )
-    parser.add_argument("--state-file", required=True, metavar="PATH", help="Path to state.json")
-    parser.add_argument("--worklog", required=True, metavar="PATH", help="Path to worklog.md (append-only)")
-    parser.add_argument("--iteration", required=True, type=int, help="Current iteration number (1-based)")
-    parser.add_argument("--metric-value", required=True, type=float, metavar="NUM", help="Numeric metric value this run")
-    parser.add_argument(
-        "--status",
-        required=True,
-        choices=["keep", "discard", "pivot", "stop"],
-        help="Outcome classification for this iteration",
-    )
-    parser.add_argument("--description", required=True, help="Short description of what changed this run")
-    parser.add_argument("--insight", required=True, help="What was learned from this run")
-    parser.add_argument("--next", required=True, dest="next_step", help="What to try in the next iteration")
-    parser.add_argument(
-        "--changed",
-        default=None,
-        metavar="TEXT",
-        help="What was specifically modified (defaults to --description)",
-    )
-    parser.add_argument(
-        "--metric-name",
-        default="metric",
-        metavar="NAME",
-        help="Name label for the metric (default: metric)",
-    )
-    args = parser.parse_args()
-
-    changed = args.changed if args.changed is not None else args.description
-
-    # --- Load current state ---
-    state = load_state(args.state_file)
-
-    prev_best: float | None = state.get("best_metric")
-
-    # --- Compute new state values ---
-    state["iteration"] = args.iteration
-    state["current_metric"] = args.metric_value
-    state["status"] = args.status
-    state["timestamp"] = datetime.now(tz=timezone.utc).isoformat()
-
-    if args.status == "keep":
-        # Keep: this run is better; promote to best.
-        state["best_metric"] = args.metric_value
-        state["consecutive_discards"] = 0
-    elif args.status == "discard":
-        # Do not update best; increment discard counter.
-        state["consecutive_discards"] = int(state.get("consecutive_discards") or 0) + 1
-    elif args.status == "pivot":
-        # Pivot: counts as a discard for streak purposes, but also advances pivot_count.
-        state["consecutive_discards"] = int(state.get("consecutive_discards") or 0) + 1
-        state["pivot_count"] = int(state.get("pivot_count") or 0) + 1
-    elif args.status == "stop":
-        # Terminal — no counter changes needed beyond recording.
-        pass
-
-    # --- Atomic write ---
-    atomic_write_json(args.state_file, state)
-
-    # --- Append worklog ---
-    append_worklog(
-        path=args.worklog,
-        iteration=args.iteration,
-        description=args.description,
-        metric_name=args.metric_name,
-        metric_value=args.metric_value,
-        status=args.status,
-        changed=changed,
-        insight=args.insight,
-        next_step=args.next_step,
-        best_metric=prev_best,
-    )
-
-    # Emit updated state summary for easy inspection.
-    print(json.dumps(state, indent=2))
-
-
-if __name__ == "__main__":
-    main()

package/dist/gaia-security/hooks/modules/security/gitops_validator.py

@@ -1,179 +0,0 @@
-"""
-GitOps workflow validation for kubectl, helm, and flux commands.
-
-Ensures commands follow GitOps principles:
-- No direct cluster modifications
-- Use --dry-run for apply operations
-- Prefer read-only commands
-"""
-
-import re
-import logging
-from typing import List, Optional
-from dataclasses import dataclass, field
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass
-class GitOpsValidationResult:
-    """Result of GitOps validation."""
-    allowed: bool
-    reason: str
-    severity: str = "info"  # info, warning, high, critical
-    suggestions: List[str] = field(default_factory=list)
-
-
-# Safe read-only commands (always allowed)
-SAFE_KUBECTL_COMMANDS = [
-    r'kubectl\s+get',
-    r'kubectl\s+describe',
-    r'kubectl\s+logs',
-    r'kubectl\s+top',
-    r'kubectl\s+explain',
-    r'kubectl\s+version',
-    r'kubectl\s+cluster-info',
-    r'kubectl\s+config\s+view',
-    r'kubectl\s+api-resources',
-    r'kubectl\s+api-versions',
-]
-
-SAFE_FLUX_COMMANDS = [
-    r'flux\s+get',
-    r'flux\s+check',
-    r'flux\s+version',
-    r'flux\s+logs',
-    r'flux\s+stats',
-    r'flux\s+tree',
-]
-
-SAFE_HELM_COMMANDS = [
-    r'helm\s+list',
-    r'helm\s+status',
-    r'helm\s+history',
-    r'helm\s+template',
-    r'helm\s+lint',
-    r'helm\s+version',
-    r'helm\s+show',
-    r'helm\s+search',
-]
-
-# Forbidden commands (modify cluster state)
-FORBIDDEN_KUBECTL_COMMANDS = [
-    r'kubectl\s+apply(?!\s+.*--dry-run)',
-    r'kubectl\s+create(?!\s+.*--dry-run)',
-    r'kubectl\s+patch',
-    r'kubectl\s+replace',
-    r'kubectl\s+delete',
-    r'kubectl\s+scale',
-    r'kubectl\s+rollout\s+restart',
-    r'kubectl\s+annotate(?!\s+.*--dry-run)',
-    r'kubectl\s+label(?!\s+.*--dry-run)',
-]
-
-FORBIDDEN_FLUX_COMMANDS = [
-    r'flux\s+create',
-    r'flux\s+delete',
-    r'flux\s+suspend',
-    r'flux\s+resume',
-]
-
-FORBIDDEN_HELM_COMMANDS = [
-    r'helm\s+install(?!\s+.*--dry-run)',
-    r'helm\s+upgrade(?!\s+.*--dry-run)',
-    r'helm\s+uninstall',
-    r'helm\s+rollback',
-]
-
-
-def is_safe_gitops_command(command: str) -> bool:
-    """Check if command is explicitly safe (read-only)."""
-    safe_patterns = SAFE_KUBECTL_COMMANDS + SAFE_FLUX_COMMANDS + SAFE_HELM_COMMANDS
-    for pattern in safe_patterns:
-        if re.search(pattern, command, re.IGNORECASE):
-            return True
-    return False
-
-
-def is_forbidden_gitops_command(command: str) -> bool:
-    """Check if command is forbidden (modifies cluster state)."""
-    forbidden_patterns = (
-        FORBIDDEN_KUBECTL_COMMANDS +
-        FORBIDDEN_FLUX_COMMANDS +
-        FORBIDDEN_HELM_COMMANDS
-    )
-    for pattern in forbidden_patterns:
-        if re.search(pattern, command, re.IGNORECASE):
-            return True
-    return False
-
-
-def validate_gitops_workflow(
-    command: str,
-    agent_type: Optional[str] = None
-) -> GitOpsValidationResult:
-    """
-    Validate command against GitOps security principles.
-
-    Args:
-        command: Shell command to validate
-        agent_type: Optional agent type for stricter validation
-
-    Returns:
-        GitOpsValidationResult with status and suggestions
-    """
-    # Check if command is explicitly safe
-    if is_safe_gitops_command(command):
-        return GitOpsValidationResult(
-            allowed=True,
-            reason="Read-only operation - safe to execute",
-        )
-
-    # Check if command is forbidden
-    if is_forbidden_gitops_command(command):
-        suggestions = []
-
-        # Provide specific suggestions based on command type
-        if "kubectl apply" in command and "--dry-run" not in command:
-            suggestions.extend([
-                "Use: kubectl apply --dry-run=client -f <file>",
-                "Create manifests in gitops repository first",
-                "Commit changes and let Flux CD reconcile"
-            ])
-        elif "flux reconcile" in command and "--dry-run" not in command:
-            suggestions.extend([
-                "Use: flux reconcile <resource> --dry-run",
-                "Follow GitOps workflow: commit -> push -> automatic reconciliation"
-            ])
-        elif "helm install" in command or "helm upgrade" in command:
-            suggestions.extend([
-                "Use: helm template or helm upgrade --dry-run",
-                "Deploy via HelmRelease manifests in gitops repository"
-            ])
-        else:
-            suggestions.append("Use read-only commands or --dry-run alternatives")
-
-        return GitOpsValidationResult(
-            allowed=False,
-            reason="Command violates GitOps principles - modifies cluster state directly",
-            severity="critical",
-            suggestions=suggestions,
-        )
-
-    # For gitops-operator agent, be extra strict
-    if agent_type == "gitops-operator":
-        if ("apply" in command or "create" in command) and "--dry-run" not in command:
-            return GitOpsValidationResult(
-                allowed=False,
-                reason="GitOps operator must use --dry-run for all apply operations",
-                severity="high",
-                suggestions=["Add --dry-run=client flag to command"],
-            )
-
-    # Default: allow but warn about unclear intent
-    return GitOpsValidationResult(
-        allowed=True,
-        reason="Command not explicitly validated - proceed with caution",
-        severity="warning",
-        suggestions=["Verify command follows GitOps principles"],
-    )

package/git-hooks/commit-msg

@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# commit-msg hook: strip Claude Code attribution footers from commit messages.
-#
-# This hook runs at the git level, catching ALL commits regardless of whether
-# they originate from Claude Code's Bash tool, a subagent, or the user's terminal.
-#
-# Patterns match those in hooks/modules/tools/bash_validator.py _strip_claude_footers()
-# to maintain a single source of truth for what constitutes a forbidden footer.
-#
-# Installation:
-#   cp git-hooks/commit-msg .git/hooks/commit-msg
-#   chmod +x .git/hooks/commit-msg
-#
-# Or via gaia-init (automatic).
-
-COMMIT_MSG_FILE="$1"
-
-if [ ! -f "${COMMIT_MSG_FILE}" ]; then
-    exit 0
-fi
-
-# Create a temp file for the cleaned message
-TEMP_FILE=$(mktemp)
-trap 'rm -f "${TEMP_FILE}"' EXIT
-
-# Read the commit message and strip forbidden footer lines:
-#   - Co-Authored-By: containing "Claude" (any case)
-#   - "Generated with Claude Code" or "[Claude Code]" (any case)
-#   - Emoji-prefixed "Generated with" lines
-sed -E \
-    -e '/^[[:space:]]*[Cc][Oo]-[Aa][Uu][Tt][Hh][Oo][Rr][Ee][Dd]-[Bb][Yy]:.*[Cc][Ll][Aa][Uu][Dd][Ee]/d' \
-    -e '/^[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh].*[Cc][Ll][Aa][Uu][Dd][Ee] [Cc][Oo][Dd][Ee]/d' \
-    -e '/^[[:space:]]*..?[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh]/d' \
-    "${COMMIT_MSG_FILE}" > "${TEMP_FILE}"
-
-# Remove trailing blank lines (collapse to single trailing newline)
-# This prevents empty trailers after stripping
-sed -e :a -e '/^\n*$/{$d;N;ba' -e '}' "${TEMP_FILE}" > "${COMMIT_MSG_FILE}"
-
-exit 0

package/hooks/modules/security/gitops_validator.py

@@ -1,179 +0,0 @@
-"""
-GitOps workflow validation for kubectl, helm, and flux commands.
-
-Ensures commands follow GitOps principles:
-- No direct cluster modifications
-- Use --dry-run for apply operations
-- Prefer read-only commands
-"""
-
-import re
-import logging
-from typing import List, Optional
-from dataclasses import dataclass, field
-
-logger = logging.getLogger(__name__)
-
-
-@dataclass
-class GitOpsValidationResult:
-    """Result of GitOps validation."""
-    allowed: bool
-    reason: str
-    severity: str = "info"  # info, warning, high, critical
-    suggestions: List[str] = field(default_factory=list)
-
-
-# Safe read-only commands (always allowed)
-SAFE_KUBECTL_COMMANDS = [
-    r'kubectl\s+get',
-    r'kubectl\s+describe',
-    r'kubectl\s+logs',
-    r'kubectl\s+top',
-    r'kubectl\s+explain',
-    r'kubectl\s+version',
-    r'kubectl\s+cluster-info',
-    r'kubectl\s+config\s+view',
-    r'kubectl\s+api-resources',
-    r'kubectl\s+api-versions',
-]
-
-SAFE_FLUX_COMMANDS = [
-    r'flux\s+get',
-    r'flux\s+check',
-    r'flux\s+version',
-    r'flux\s+logs',
-    r'flux\s+stats',
-    r'flux\s+tree',
-]
-
-SAFE_HELM_COMMANDS = [
-    r'helm\s+list',
-    r'helm\s+status',
-    r'helm\s+history',
-    r'helm\s+template',
-    r'helm\s+lint',
-    r'helm\s+version',
-    r'helm\s+show',
-    r'helm\s+search',
-]
-
-# Forbidden commands (modify cluster state)
-FORBIDDEN_KUBECTL_COMMANDS = [
-    r'kubectl\s+apply(?!\s+.*--dry-run)',
-    r'kubectl\s+create(?!\s+.*--dry-run)',
-    r'kubectl\s+patch',
-    r'kubectl\s+replace',
-    r'kubectl\s+delete',
-    r'kubectl\s+scale',
-    r'kubectl\s+rollout\s+restart',
-    r'kubectl\s+annotate(?!\s+.*--dry-run)',
-    r'kubectl\s+label(?!\s+.*--dry-run)',
-]
-
-FORBIDDEN_FLUX_COMMANDS = [
-    r'flux\s+create',
-    r'flux\s+delete',
-    r'flux\s+suspend',
-    r'flux\s+resume',
-]
-
-FORBIDDEN_HELM_COMMANDS = [
-    r'helm\s+install(?!\s+.*--dry-run)',
-    r'helm\s+upgrade(?!\s+.*--dry-run)',
-    r'helm\s+uninstall',
-    r'helm\s+rollback',
-]
-
-
-def is_safe_gitops_command(command: str) -> bool:
-    """Check if command is explicitly safe (read-only)."""
-    safe_patterns = SAFE_KUBECTL_COMMANDS + SAFE_FLUX_COMMANDS + SAFE_HELM_COMMANDS
-    for pattern in safe_patterns:
-        if re.search(pattern, command, re.IGNORECASE):
-            return True
-    return False
-
-
-def is_forbidden_gitops_command(command: str) -> bool:
-    """Check if command is forbidden (modifies cluster state)."""
-    forbidden_patterns = (
-        FORBIDDEN_KUBECTL_COMMANDS +
-        FORBIDDEN_FLUX_COMMANDS +
-        FORBIDDEN_HELM_COMMANDS
-    )
-    for pattern in forbidden_patterns:
-        if re.search(pattern, command, re.IGNORECASE):
-            return True
-    return False
-
-
-def validate_gitops_workflow(
-    command: str,
-    agent_type: Optional[str] = None
-) -> GitOpsValidationResult:
-    """
-    Validate command against GitOps security principles.
-
-    Args:
-        command: Shell command to validate
-        agent_type: Optional agent type for stricter validation
-
-    Returns:
-        GitOpsValidationResult with status and suggestions
-    """
-    # Check if command is explicitly safe
-    if is_safe_gitops_command(command):
-        return GitOpsValidationResult(
-            allowed=True,
-            reason="Read-only operation - safe to execute",
-        )
-
-    # Check if command is forbidden
-    if is_forbidden_gitops_command(command):
-        suggestions = []
-
-        # Provide specific suggestions based on command type
-        if "kubectl apply" in command and "--dry-run" not in command:
-            suggestions.extend([
-                "Use: kubectl apply --dry-run=client -f <file>",
-                "Create manifests in gitops repository first",
-                "Commit changes and let Flux CD reconcile"
-            ])
-        elif "flux reconcile" in command and "--dry-run" not in command:
-            suggestions.extend([
-                "Use: flux reconcile <resource> --dry-run",
-                "Follow GitOps workflow: commit -> push -> automatic reconciliation"
-            ])
-        elif "helm install" in command or "helm upgrade" in command:
-            suggestions.extend([
-                "Use: helm template or helm upgrade --dry-run",
-                "Deploy via HelmRelease manifests in gitops repository"
-            ])
-        else:
-            suggestions.append("Use read-only commands or --dry-run alternatives")
-
-        return GitOpsValidationResult(
-            allowed=False,
-            reason="Command violates GitOps principles - modifies cluster state directly",
-            severity="critical",
-            suggestions=suggestions,
-        )
-
-    # For gitops-operator agent, be extra strict
-    if agent_type == "gitops-operator":
-        if ("apply" in command or "create" in command) and "--dry-run" not in command:
-            return GitOpsValidationResult(
-                allowed=False,
-                reason="GitOps operator must use --dry-run for all apply operations",
-                severity="high",
-                suggestions=["Add --dry-run=client flag to command"],
-            )
-
-    # Default: allow but warn about unclear intent
-    return GitOpsValidationResult(
-        allowed=True,
-        reason="Command not explicitly validated - proceed with caution",
-        severity="warning",
-        suggestions=["Verify command follows GitOps principles"],
-    )