@rigour-labs/core 2.22.0 → 3.0.1

package/src/gates/agent-team.test.ts

@@ -1,134 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest';
-import { AgentTeamGate, registerAgent, getSession, clearSession } from './agent-team.js';
-import * as fs from 'fs';
-import * as path from 'path';
-import * as os from 'os';
-
-describe('AgentTeamGate', () => {
-    let testDir: string;
-
-    beforeEach(() => {
-        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agent-team-test-'));
-    });
-
-    afterEach(() => {
-        clearSession(testDir);
-        fs.rmSync(testDir, { recursive: true, force: true });
-    });
-
-    describe('gate initialization', () => {
-        it('should create gate with default config', () => {
-            const gate = new AgentTeamGate();
-            expect(gate.id).toBe('agent-team');
-            expect(gate.title).toBe('Agent Team Governance');
-        });
-
-        it('should skip when not enabled', async () => {
-            const gate = new AgentTeamGate({ enabled: false });
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toEqual([]);
-        });
-    });
-
-    describe('session management', () => {
-        it('should register an agent', () => {
-            const session = registerAgent(testDir, 'agent-a', ['src/api/**']);
-            expect(session.agents).toHaveLength(1);
-            expect(session.agents[0].agentId).toBe('agent-a');
-            expect(session.agents[0].taskScope).toEqual(['src/api/**']);
-        });
-
-        it('should update existing agent registration', () => {
-            registerAgent(testDir, 'agent-a', ['src/api/**']);
-            const session = registerAgent(testDir, 'agent-a', ['src/api/**', 'src/utils/**']);
-            expect(session.agents).toHaveLength(1);
-            expect(session.agents[0].taskScope).toEqual(['src/api/**', 'src/utils/**']);
-        });
-
-        it('should persist session to disk', () => {
-            registerAgent(testDir, 'agent-a', ['src/**']);
-            const sessionPath = path.join(testDir, '.rigour', 'agent-session.json');
-            expect(fs.existsSync(sessionPath)).toBe(true);
-        });
-
-        it('should load session from disk', () => {
-            registerAgent(testDir, 'agent-a', ['src/**']);
-            // Clear in-memory cache
-            clearSession(testDir);
-            // Re-register to re-create session file
-            registerAgent(testDir, 'agent-b', ['tests/**']);
-
-            const session = getSession(testDir);
-            expect(session).not.toBeNull();
-            expect(session!.agents).toHaveLength(1); // Only agent-b after clearSession
-        });
-
-        it('should clear session', () => {
-            registerAgent(testDir, 'agent-a', ['src/**']);
-            clearSession(testDir);
-            const session = getSession(testDir);
-            expect(session).toBeNull();
-        });
-    });
-
-    describe('max concurrent agents check', () => {
-        it('should pass when under limit', async () => {
-            const gate = new AgentTeamGate({ enabled: true, max_concurrent_agents: 3 });
-            registerAgent(testDir, 'agent-a', ['src/a/**']);
-            registerAgent(testDir, 'agent-b', ['src/b/**']);
-
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toEqual([]);
-        });
-
-        it('should fail when over limit', async () => {
-            const gate = new AgentTeamGate({ enabled: true, max_concurrent_agents: 2 });
-            registerAgent(testDir, 'agent-a', ['src/a/**']);
-            registerAgent(testDir, 'agent-b', ['src/b/**']);
-            registerAgent(testDir, 'agent-c', ['src/c/**']);
-
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toHaveLength(1);
-            expect(failures[0].title).toBe('Too Many Concurrent Agents');
-        });
-    });
-
-    describe('task scope conflicts (strict mode)', () => {
-        it('should pass when scopes are disjoint', async () => {
-            const gate = new AgentTeamGate({
-                enabled: true,
-                task_ownership: 'strict'
-            });
-            registerAgent(testDir, 'agent-a', ['src/api/**']);
-            registerAgent(testDir, 'agent-b', ['src/ui/**']);
-
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toEqual([]);
-        });
-
-        it('should fail when scopes overlap', async () => {
-            const gate = new AgentTeamGate({
-                enabled: true,
-                task_ownership: 'strict'
-            });
-            registerAgent(testDir, 'agent-a', ['src/api/**']);
-            registerAgent(testDir, 'agent-b', ['src/api/**']); // Same scope!
-
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toHaveLength(1);
-            expect(failures[0].title).toBe('Task Scope Conflict');
-        });
-
-        it('should allow overlapping scopes in collaborative mode', async () => {
-            const gate = new AgentTeamGate({
-                enabled: true,
-                task_ownership: 'collaborative'
-            });
-            registerAgent(testDir, 'agent-a', ['src/api/**']);
-            registerAgent(testDir, 'agent-b', ['src/api/**']); // Same scope - OK in collaborative
-
-            const failures = await gate.run({ cwd: testDir });
-            expect(failures).toEqual([]);
-        });
-    });
-});

package/src/gates/agent-team.ts

@@ -1,210 +0,0 @@
-/**
- * Agent Team Governance Gate
- * 
- * Supervises multi-agent coordination for frontier models like
- * Opus 4.6 (agent teams) and GPT-5.3-Codex (coworking mode).
- * 
- * Detects:
- * - Cross-agent pattern conflicts
- * - Task scope violations
- * - Handoff context loss
- * 
- * @since v2.14.0
- */
-
-import { Gate, GateContext } from './base.js';
-import { Failure } from '../types/index.js';
-import { Logger } from '../utils/logger.js';
-import * as fs from 'fs';
-import * as path from 'path';
-
-export interface AgentRegistration {
-    agentId: string;
-    taskScope: string[];  // Glob patterns for files this agent owns
-    registeredAt: Date;
-    lastActivity?: Date;
-}
-
-export interface AgentTeamSession {
-    sessionId: string;
-    agents: AgentRegistration[];
-    startedAt: Date;
-}
-
-export interface AgentTeamConfig {
-    enabled?: boolean;
-    max_concurrent_agents?: number;
-    cross_agent_pattern_check?: boolean;
-    handoff_verification?: boolean;
-    task_ownership?: 'strict' | 'collaborative';
-}
-
-// In-memory session store (persisted to .rigour/agent-session.json)
-let currentSession: AgentTeamSession | null = null;
-
-/**
- * Register an agent in the current session
- */
-export function registerAgent(cwd: string, agentId: string, taskScope: string[]): AgentTeamSession {
-    if (!currentSession) {
-        currentSession = {
-            sessionId: `session-${Date.now()}`,
-            agents: [],
-            startedAt: new Date(),
-        };
-    }
-
-    // Check if agent already registered
-    const existing = currentSession.agents.find(a => a.agentId === agentId);
-    if (existing) {
-        existing.taskScope = taskScope;
-        existing.lastActivity = new Date();
-    } else {
-        currentSession.agents.push({
-            agentId,
-            taskScope,
-            registeredAt: new Date(),
-        });
-    }
-
-    // Persist session
-    persistSession(cwd);
-    return currentSession;
-}
-
-/**
- * Get current session status
- */
-export function getSession(cwd: string): AgentTeamSession | null {
-    if (!currentSession) {
-        loadSession(cwd);
-    }
-    return currentSession;
-}
-
-/**
- * Clear current session
- */
-export function clearSession(cwd: string): void {
-    currentSession = null;
-    const sessionPath = path.join(cwd, '.rigour', 'agent-session.json');
-    if (fs.existsSync(sessionPath)) {
-        fs.unlinkSync(sessionPath);
-    }
-}
-
-function persistSession(cwd: string): void {
-    const rigourDir = path.join(cwd, '.rigour');
-    if (!fs.existsSync(rigourDir)) {
-        fs.mkdirSync(rigourDir, { recursive: true });
-    }
-    const sessionPath = path.join(rigourDir, 'agent-session.json');
-    fs.writeFileSync(sessionPath, JSON.stringify(currentSession, null, 2));
-}
-
-function loadSession(cwd: string): void {
-    const sessionPath = path.join(cwd, '.rigour', 'agent-session.json');
-    if (fs.existsSync(sessionPath)) {
-        try {
-            const data = JSON.parse(fs.readFileSync(sessionPath, 'utf-8'));
-            currentSession = {
-                ...data,
-                startedAt: new Date(data.startedAt),
-                agents: data.agents.map((a: any) => ({
-                    ...a,
-                    registeredAt: new Date(a.registeredAt),
-                    lastActivity: a.lastActivity ? new Date(a.lastActivity) : undefined,
-                })),
-            };
-        } catch (err) {
-            Logger.warn('Failed to load agent session, starting fresh');
-            currentSession = null;
-        }
-    }
-}
-
-/**
- * Check if two glob patterns might overlap
- */
-function scopesOverlap(scope1: string[], scope2: string[]): string[] {
-    const overlapping: string[] = [];
-    for (const s1 of scope1) {
-        for (const s2 of scope2) {
-            // Simple overlap detection - same path or one is prefix of other
-            if (s1 === s2 || s1.startsWith(s2.replace('**', '')) || s2.startsWith(s1.replace('**', ''))) {
-                overlapping.push(`${s1} ↔ ${s2}`);
-            }
-        }
-    }
-    return overlapping;
-}
-
-export class AgentTeamGate extends Gate {
-    private config: AgentTeamConfig;
-
-    constructor(config: AgentTeamConfig = {}) {
-        super('agent-team', 'Agent Team Governance');
-        this.config = {
-            enabled: config.enabled ?? false,
-            max_concurrent_agents: config.max_concurrent_agents ?? 3,
-            cross_agent_pattern_check: config.cross_agent_pattern_check ?? true,
-            handoff_verification: config.handoff_verification ?? true,
-            task_ownership: config.task_ownership ?? 'strict',
-        };
-    }
-
-    async run(context: GateContext): Promise<Failure[]> {
-        if (!this.config.enabled) {
-            return [];
-        }
-
-        const failures: Failure[] = [];
-        const session = getSession(context.cwd);
-
-        if (!session || session.agents.length === 0) {
-            // No multi-agent session active, skip
-            return [];
-        }
-
-        Logger.info(`Agent Team Gate: ${session.agents.length} agents in session`);
-
-        // Check 1: Max concurrent agents
-        if (session.agents.length > (this.config.max_concurrent_agents ?? 3)) {
-            failures.push(this.createFailure(
-                `Too many concurrent agents: ${session.agents.length} (max: ${this.config.max_concurrent_agents})`,
-                undefined,
-                'Reduce the number of concurrent agents or increase max_concurrent_agents in rigour.yml',
-                'Too Many Concurrent Agents'
-            ));
-        }
-
-        // Check 2: Task scope conflicts (strict mode only)
-        if (this.config.task_ownership === 'strict') {
-            for (let i = 0; i < session.agents.length; i++) {
-                for (let j = i + 1; j < session.agents.length; j++) {
-                    const agent1 = session.agents[i];
-                    const agent2 = session.agents[j];
-                    const overlaps = scopesOverlap(agent1.taskScope, agent2.taskScope);
-
-                    if (overlaps.length > 0) {
-                        failures.push(this.createFailure(
-                            `Task scope conflict between ${agent1.agentId} and ${agent2.agentId}: ${overlaps.join(', ')}`,
-                            undefined,
-                            'In strict mode, each agent must have exclusive task scope. Either adjust scopes or set task_ownership: collaborative',
-                            'Task Scope Conflict'
-                        ));
-                    }
-                }
-            }
-        }
-
-        // Check 3: Cross-agent pattern detection (if enabled)
-        if (this.config.cross_agent_pattern_check && context.record) {
-            // This would integrate with the Pattern Index to detect conflicting patterns
-            // For now, we log that we would do this check
-            Logger.debug('Cross-agent pattern check: would analyze patterns across agent scopes');
-        }
-
-        return failures;
-    }
-}

package/src/gates/ast-handlers/base.ts

@@ -1,13 +0,0 @@
-import { Failure, Gates } from '../../types/index.js';
-
-export interface ASTHandlerContext {
-    cwd: string;
-    file: string;
-    content: string;
-}
-
-export abstract class ASTHandler {
-    constructor(protected config: Gates) { }
-    abstract supports(file: string): boolean;
-    abstract run(context: ASTHandlerContext): Promise<Failure[]>;
-}

package/src/gates/ast-handlers/python.ts

@@ -1,145 +0,0 @@
-import { execa } from 'execa';
-import { ASTHandler, ASTHandlerContext } from './base.js';
-import { Failure } from '../../types/index.js';
-import path from 'path';
-import { fileURLToPath } from 'url';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-
-interface SecurityIssue {
-    type: string;
-    issue: string;
-    name: string;
-    lineno: number;
-    message: string;
-}
-
-interface MetricItem {
-    type: string;
-    name: string;
-    complexity?: number;
-    parameters?: number;
-    methods?: number;
-    lineno: number;
-}
-
-interface PythonAnalysisResult {
-    metrics?: MetricItem[];
-    security?: SecurityIssue[];
-    error?: string;
-}
-
-export class PythonHandler extends ASTHandler {
-    supports(file: string): boolean {
-        return /\.py$/.test(file);
-    }
-
-    async run(context: ASTHandlerContext): Promise<Failure[]> {
-        const failures: Failure[] = [];
-        const scriptPath = path.join(__dirname, 'python_parser.py');
-
-        // Dynamic command detection for cross-platform support (Mac/Linux usually python3, Windows usually python)
-        let pythonCmd = 'python3';
-        try {
-            await execa('python3', ['--version']);
-        } catch (e) {
-            try {
-                await execa('python', ['--version']);
-                pythonCmd = 'python';
-            } catch (e2) {
-                // Both missing - handled by main catch
-            }
-        }
-
-        try {
-            const { stdout } = await execa(pythonCmd, [scriptPath], {
-                input: context.content,
-                cwd: context.cwd
-            });
-
-            const result: PythonAnalysisResult = JSON.parse(stdout);
-            if (result.error) return [];
-
-            const astConfig = this.config.ast || {};
-            const safetyConfig = this.config.safety || {};
-            const maxComplexity = astConfig.complexity || 10;
-            const maxParams = astConfig.max_params || 5;
-            const maxMethods = astConfig.max_methods || 10;
-
-            // Process metrics (complexity, params, methods)
-            const metrics = result.metrics || [];
-            for (const item of metrics) {
-                if (item.type === 'function') {
-                    if (item.parameters && item.parameters > maxParams) {
-                        failures.push({
-                            id: 'AST_MAX_PARAMS',
-                            title: `Function '${item.name}' has ${item.parameters} parameters (max: ${maxParams})`,
-                            details: `High parameter count detected in ${context.file} at line ${item.lineno}`,
-                            files: [context.file],
-                            hint: `Reduce number of parameters or use an options object.`
-                        });
-                    }
-                    if (item.complexity && item.complexity > maxComplexity) {
-                        failures.push({
-                            id: 'AST_COMPLEXITY',
-                            title: `Function '${item.name}' has complexity of ${item.complexity} (max: ${maxComplexity})`,
-                            details: `High complexity detected in ${context.file} at line ${item.lineno}`,
-                            files: [context.file],
-                            hint: `Refactor '${item.name}' into smaller, more focused functions.`
-                        });
-                    }
-                } else if (item.type === 'class') {
-                    if (item.methods && item.methods > maxMethods) {
-                        failures.push({
-                            id: 'AST_MAX_METHODS',
-                            title: `Class '${item.name}' has ${item.methods} methods (max: ${maxMethods})`,
-                            details: `God Object pattern detected in ${context.file} at line ${item.lineno}`,
-                            files: [context.file],
-                            hint: `Split class '${item.name}' into smaller services.`
-                        });
-                    }
-                }
-            }
-
-            // Process security issues (CSRF, hardcoded secrets, SQL injection, etc.)
-            const securityIssues = result.security || [];
-            for (const issue of securityIssues) {
-                const issueIdMap: Record<string, string> = {
-                    'hardcoded_secret': 'SECURITY_HARDCODED_SECRET',
-                    'csrf_disabled': 'SECURITY_CSRF_DISABLED',
-                    'code_injection': 'SECURITY_CODE_INJECTION',
-                    'insecure_deserialization': 'SECURITY_INSECURE_DESERIALIZATION',
-                    'command_injection': 'SECURITY_COMMAND_INJECTION',
-                    'sql_injection': 'SECURITY_SQL_INJECTION'
-                };
-
-                const id = issueIdMap[issue.issue] || 'SECURITY_ISSUE';
-
-                failures.push({
-                    id,
-                    title: issue.message,
-                    details: `Security issue in ${context.file} at line ${issue.lineno}: ${issue.name}`,
-                    files: [context.file],
-                    hint: this.getSecurityHint(issue.issue)
-                });
-            }
-
-        } catch (e: any) {
-            // If python3 is missing, we skip AST but other gates still run
-        }
-
-        return failures;
-    }
-
-    private getSecurityHint(issueType: string): string {
-        const hints: Record<string, string> = {
-            'hardcoded_secret': 'Use environment variables: os.environ.get("SECRET_KEY")',
-            'csrf_disabled': 'Enable CSRF protection for all forms handling sensitive data',
-            'code_injection': 'Avoid eval/exec. Use safer alternatives like ast.literal_eval() for data parsing',
-            'insecure_deserialization': 'Use json.loads() instead of pickle for untrusted data',
-            'command_injection': 'Use subprocess with shell=False and pass arguments as a list',
-            'sql_injection': 'Use parameterized queries: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))'
-        };
-        return hints[issueType] || 'Review and fix the security issue.';
-    }
-}

package/src/gates/ast-handlers/python_parser.py

@@ -1,181 +0,0 @@
-import ast
-import sys
-import json
-import re
-
-class MetricsVisitor(ast.NodeVisitor):
-    def __init__(self):
-        self.metrics = []
-
-    def visit_FunctionDef(self, node):
-        self.analyze_function(node)
-        self.generic_visit(node)
-
-    def visit_AsyncFunctionDef(self, node):
-        self.analyze_function(node)
-        self.generic_visit(node)
-
-    def visit_ClassDef(self, node):
-        methods = [n for n in node.body if isinstance(n, (ast.FunctionDef, ast.AsyncFunctionDef))]
-        self.metrics.append({
-            "type": "class",
-            "name": node.name,
-            "methods": len(methods),
-            "lineno": node.lineno
-        })
-        self.generic_visit(node)
-
-    def analyze_function(self, node):
-        complexity = 1
-        for n in ast.walk(node):
-            if isinstance(n, (ast.If, ast.While, ast.For, ast.AsyncFor, ast.Try, ast.ExceptHandler, ast.With, ast.AsyncWith)):
-                complexity += 1
-            elif isinstance(n, ast.BoolOp):
-                complexity += len(n.values) - 1
-            elif isinstance(n, ast.IfExp):
-                complexity += 1
-
-        params = len(node.args.args) + len(node.args.kwonlyargs)
-        if node.args.vararg: params += 1
-        if node.args.kwarg: params += 1
-
-        self.metrics.append({
-            "type": "function",
-            "name": node.name,
-            "complexity": complexity,
-            "parameters": params,
-            "lineno": node.lineno
-        })
-
-
-class SecurityVisitor(ast.NodeVisitor):
-    """Detects security issues in Python code via AST analysis."""
-
-    def __init__(self, content):
-        self.issues = []
-        self.content = content
-        self.lines = content.split('\n')
-
-    def visit_Assign(self, node):
-        """Check for hardcoded secrets and CSRF disabled."""
-        for target in node.targets:
-            if isinstance(target, ast.Name):
-                name = target.id
-                # Check for hardcoded SECRET_KEY
-                if name == 'SECRET_KEY':
-                    if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
-                        self.issues.append({
-                            "type": "security",
-                            "issue": "hardcoded_secret",
-                            "name": "SECRET_KEY",
-                            "lineno": node.lineno,
-                            "message": "Hardcoded SECRET_KEY detected. Use environment variables instead."
-                        })
-                # Check for hardcoded passwords/tokens
-                if name.upper() in ('PASSWORD', 'API_KEY', 'TOKEN', 'AUTH_TOKEN', 'PRIVATE_KEY', 'AWS_SECRET_KEY'):
-                    if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
-                        self.issues.append({
-                            "type": "security",
-                            "issue": "hardcoded_secret",
-                            "name": name,
-                            "lineno": node.lineno,
-                            "message": f"Hardcoded {name} detected. Use environment variables instead."
-                        })
-                # Check for csrf = False
-                if name.lower() in ('csrf', 'csrf_enabled', 'wtf_csrf_enabled'):
-                    if isinstance(node.value, ast.Constant) and node.value.value == False:
-                        self.issues.append({
-                            "type": "security",
-                            "issue": "csrf_disabled",
-                            "name": name,
-                            "lineno": node.lineno,
-                            "message": "CSRF protection is disabled. This is a security vulnerability."
-                        })
-        self.generic_visit(node)
-
-    def visit_Call(self, node):
-        """Check for dangerous function calls."""
-        func_name = None
-        if isinstance(node.func, ast.Name):
-            func_name = node.func.id
-        elif isinstance(node.func, ast.Attribute):
-            func_name = node.func.attr
-
-        # Check for eval/exec usage
-        if func_name in ('eval', 'exec'):
-            self.issues.append({
-                "type": "security",
-                "issue": "code_injection",
-                "name": func_name,
-                "lineno": node.lineno,
-                "message": f"Use of {func_name}() detected. This can lead to code injection vulnerabilities."
-            })
-
-        # Check for pickle usage (insecure deserialization)
-        if func_name in ('loads', 'load') and isinstance(node.func, ast.Attribute):
-            if isinstance(node.func.value, ast.Name) and node.func.value.id == 'pickle':
-                self.issues.append({
-                    "type": "security",
-                    "issue": "insecure_deserialization",
-                    "name": "pickle",
-                    "lineno": node.lineno,
-                    "message": "Pickle deserialization is unsafe. Use json instead for untrusted data."
-                })
-
-        # Check for shell=True in subprocess
-        if func_name in ('run', 'call', 'Popen', 'check_output', 'check_call'):
-            for keyword in node.keywords:
-                if keyword.arg == 'shell' and isinstance(keyword.value, ast.Constant) and keyword.value.value == True:
-                    self.issues.append({
-                        "type": "security",
-                        "issue": "command_injection",
-                        "name": func_name,
-                        "lineno": node.lineno,
-                        "message": "shell=True in subprocess can lead to command injection."
-                    })
-
-        self.generic_visit(node)
-
-    def check_sql_injection(self):
-        """Check for SQL injection patterns using regex on source."""
-        sql_patterns = [
-            (r'execute\s*\(\s*["\'].*%s', 'SQL string formatting with %s'),
-            (r'execute\s*\(\s*f["\']', 'SQL f-string'),
-            (r'execute\s*\(\s*["\'].*\+', 'SQL string concatenation'),
-            (r'cursor\.execute\s*\(\s*["\'].*\.format\s*\(', 'SQL .format()'),
-        ]
-        for pattern, desc in sql_patterns:
-            for i, line in enumerate(self.lines, 1):
-                if re.search(pattern, line, re.IGNORECASE):
-                    self.issues.append({
-                        "type": "security",
-                        "issue": "sql_injection",
-                        "name": desc,
-                        "lineno": i,
-                        "message": f"Potential SQL injection: {desc}. Use parameterized queries."
-                    })
-
-
-def analyze_code(content):
-    try:
-        tree = ast.parse(content)
-
-        # Collect metrics
-        visitor = MetricsVisitor()
-        visitor.visit(tree)
-
-        # Collect security issues
-        security_visitor = SecurityVisitor(content)
-        security_visitor.visit(tree)
-        security_visitor.check_sql_injection()
-
-        return {
-            "metrics": visitor.metrics,
-            "security": security_visitor.issues
-        }
-    except Exception as e:
-        return {"error": str(e)}
-
-if __name__ == "__main__":
-    content = sys.stdin.read()
-    print(json.dumps(analyze_code(content)))