@oswaldzsh/devhive 0.1.0

package/verification/patterns/security.yaml

@@ -0,0 +1,41 @@
+# Security-related detection rules
+patterns:
+  - id: S001
+    name: new_network_call_no_timeout
+    desc: "New network request added without timeout or deadline context"
+    severity: HIGH
+    detector:
+      type: ast_pattern
+      rule: "new http/client call AND no timeout/deadline context"
+
+  - id: S002
+    name: sql_injection_risk
+    desc: "String formatting or concatenation used in SQL query construction"
+    severity: CRITICAL
+    detector:
+      type: ast_pattern
+      rule: "SQL string built with f-string or .format() instead of parameterized query"
+
+  - id: S003
+    name: hardcoded_secret
+    desc: "Potential hardcoded credential, API key, or token"
+    severity: CRITICAL
+    detector:
+      type: pattern_match
+      rule: "string literal matching secret/key/token/password patterns"
+
+  - id: S004
+    name: missing_auth_check
+    desc: "New endpoint or handler added without authentication decorator"
+    severity: HIGH
+    detector:
+      type: ast_pattern
+      rule: "new route/endpoint handler without auth middleware"
+
+  - id: S005
+    name: unsafe_deserialization
+    desc: "Use of pickle, yaml.load, or eval on user-controlled input"
+    severity: CRITICAL
+    detector:
+      type: ast_pattern
+      rule: "pickle.loads|yaml.load|eval|exec with variable input"

package/verification/pipeline.py

@@ -0,0 +1,61 @@
+"""Verification Pipeline — orchestrates L1/L2 verification stages."""
+
+import asyncio
+from typing import Optional
+
+from protocol.schemas import (
+    Task, ExecutionHandoff, Verdict, SemanticVerdict,
+    VerdictOverall, ConcurrencyAction,
+)
+from agents.verifier_static import StaticVerifier
+from agents.verifier_dynamic import DynamicVerifier
+from agents.verifier_semantic import SemanticVerifier
+
+
+class VerificationPipeline:
+    """Runs Static + Dynamic in parallel (L1), Semantic on demand (L2)."""
+
+    def __init__(self, config: dict = None):
+        self.config = config or {}
+
+    async def run_l1(self, task: Task) -> tuple[Verdict, Verdict]:
+        """Run Static and Dynamic verification in parallel."""
+        static_config = self.config.get("static_verifier", {})
+        dynamic_config = self.config.get("dynamic_verifier", {})
+
+        # In production, these would run as separate processes.
+        # For the MVP, we run them sequentially in-process.
+        static_verdict = await self._run_static(task)
+        dynamic_verdict = await self._run_dynamic(task)
+
+        return static_verdict, dynamic_verdict
+
+    async def _run_static(self, task: Task) -> Verdict:
+        """Run static verification."""
+        from agents.verifier_static import StaticVerifier
+        # Direct call for MVP; in production this dispatches to a process
+        verifier = StaticVerifier("static-v", None, None, self.config)
+        return verifier._execute(task)
+
+    async def _run_dynamic(self, task: Task) -> Verdict:
+        """Run dynamic verification."""
+        from agents.verifier_dynamic import DynamicVerifier
+        verifier = DynamicVerifier("dynamic-v", None, None, self.config)
+        return verifier._execute(task)
+
+    async def run_l2(self, task: Task) -> SemanticVerdict:
+        """Run semantic verification (more expensive, merge-gate only)."""
+        from agents.verifier_semantic import SemanticVerifier
+        verifier = SemanticVerifier("semantic-v", None, None, self.config)
+        return verifier._execute(task)
+
+    async def run_mutation(self, task: Task) -> Verdict:
+        """Run mutation testing to detect coverage gaps."""
+        # MVP: placeholder for mutation testing
+        from protocol.schemas import Verdict, VerdictOverall, VerifierType
+        return Verdict(
+            verifier_type=VerifierType.DYNAMIC,
+            task_id=task.id,
+            overall=VerdictOverall.PASS,
+            findings=[],
+        )