@smilintux/skcapstone 0.1.0 → 0.2.3

package/src/skcapstone/testrunner.py

@@ -0,0 +1,300 @@
+"""
+Unified test runner for the sovereign agent ecosystem.
+
+Discovers all packages in the monorepo, runs pytest for each,
+and presents a consolidated pass/fail summary. Works from any
+terminal — no CI server, no IDE, no special tooling.
+
+Usage:
+    skcapstone test                     # run all packages
+    skcapstone test --package skcomm    # run one package
+    skcapstone test --fast              # stop on first failure
+    skcapstone test --json-out          # machine-readable results
+"""
+
+from __future__ import annotations
+
+import json
+import subprocess
+import sys
+import time
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Optional
+
+
+ECOSYSTEM_PACKAGES = [
+    {"name": "skcapstone", "path": "skcapstone", "tests": "skcapstone/tests"},
+    {"name": "capauth", "path": "capauth", "tests": "capauth/tests"},
+    {"name": "skcomm", "path": "skcomm", "tests": "skcomm/tests"},
+    {"name": "skchat", "path": "skchat", "tests": "skchat/tests"},
+    {"name": "skmemory", "path": "skmemory", "tests": "skmemory/tests"},
+    {"name": "cloud9-python", "path": "cloud9-python", "tests": "cloud9-python/tests"},
+]
+
+
+@dataclass
+class PackageResult:
+    """Test results for a single package.
+
+    Attributes:
+        name: Package name.
+        passed: Number of tests passed.
+        failed: Number of tests failed.
+        errors: Number of collection/import errors.
+        skipped: Number of skipped tests.
+        duration_s: Total runtime in seconds.
+        exit_code: Pytest exit code.
+        output: Stdout from pytest (last N lines).
+        available: Whether the package tests were found.
+    """
+
+    name: str
+    passed: int = 0
+    failed: int = 0
+    errors: int = 0
+    skipped: int = 0
+    duration_s: float = 0.0
+    exit_code: int = -1
+    output: str = ""
+    available: bool = True
+
+    @property
+    def total(self) -> int:
+        """Total tests executed."""
+        return self.passed + self.failed + self.errors
+
+    @property
+    def success(self) -> bool:
+        """Whether all tests passed."""
+        return self.exit_code == 0 and self.failed == 0 and self.errors == 0
+
+    def to_dict(self) -> dict:
+        """Serialize to dict.
+
+        Returns:
+            dict: Package test results.
+        """
+        return {
+            "name": self.name,
+            "passed": self.passed,
+            "failed": self.failed,
+            "errors": self.errors,
+            "skipped": self.skipped,
+            "total": self.total,
+            "duration_s": round(self.duration_s, 2),
+            "success": self.success,
+            "available": self.available,
+        }
+
+
+@dataclass
+class TestReport:
+    """Consolidated test results across all packages.
+
+    Attributes:
+        results: Per-package results.
+        duration_s: Total runtime.
+    """
+
+    results: list[PackageResult] = field(default_factory=list)
+    duration_s: float = 0.0
+
+    @property
+    def total_passed(self) -> int:
+        """Total passing tests across all packages."""
+        return sum(r.passed for r in self.results)
+
+    @property
+    def total_failed(self) -> int:
+        """Total failing tests across all packages."""
+        return sum(r.failed for r in self.results)
+
+    @property
+    def total_errors(self) -> int:
+        """Total errors across all packages."""
+        return sum(r.errors for r in self.results)
+
+    @property
+    def all_passed(self) -> bool:
+        """Whether every package passed."""
+        return all(r.success for r in self.results if r.available)
+
+    @property
+    def packages_tested(self) -> int:
+        """Number of packages actually tested."""
+        return sum(1 for r in self.results if r.available)
+
+    def to_dict(self) -> dict:
+        """Serialize the full report.
+
+        Returns:
+            dict: Complete test report.
+        """
+        return {
+            "all_passed": self.all_passed,
+            "total_passed": self.total_passed,
+            "total_failed": self.total_failed,
+            "total_errors": self.total_errors,
+            "packages_tested": self.packages_tested,
+            "duration_s": round(self.duration_s, 2),
+            "packages": [r.to_dict() for r in self.results],
+        }
+
+
+def run_all_tests(
+    monorepo_root: Path,
+    packages: Optional[list[str]] = None,
+    fail_fast: bool = False,
+    verbose: bool = False,
+    timeout: int = 120,
+) -> TestReport:
+    """Run pytest across ecosystem packages.
+
+    Args:
+        monorepo_root: Root of the monorepo (where package dirs live).
+        packages: Restrict to these package names. None = all.
+        fail_fast: Stop after first package failure.
+        verbose: Pass -v to pytest.
+        timeout: Per-package timeout in seconds.
+
+    Returns:
+        TestReport: Consolidated results.
+    """
+    report = TestReport()
+    start = time.monotonic()
+
+    targets = ECOSYSTEM_PACKAGES
+    if packages:
+        pkg_set = set(packages)
+        targets = [p for p in targets if p["name"] in pkg_set]
+
+    for pkg_info in targets:
+        test_dir = monorepo_root / pkg_info["tests"]
+        if not test_dir.exists():
+            report.results.append(PackageResult(
+                name=pkg_info["name"],
+                available=False,
+                output=f"Test directory not found: {test_dir}",
+            ))
+            continue
+
+        result = _run_package_tests(
+            monorepo_root, pkg_info, verbose=verbose, timeout=timeout,
+        )
+        report.results.append(result)
+
+        if fail_fast and not result.success:
+            break
+
+    report.duration_s = time.monotonic() - start
+    return report
+
+
+def _run_package_tests(
+    root: Path,
+    pkg_info: dict,
+    verbose: bool = False,
+    timeout: int = 120,
+) -> PackageResult:
+    """Run pytest for a single package.
+
+    Args:
+        root: Monorepo root.
+        pkg_info: Package metadata dict.
+        verbose: Pass -v to pytest.
+        timeout: Timeout in seconds.
+
+    Returns:
+        PackageResult: Test results for this package.
+    """
+    result = PackageResult(name=pkg_info["name"])
+    test_dir = root / pkg_info["tests"]
+
+    cmd = [
+        sys.executable, "-m", "pytest",
+        str(test_dir),
+        "--tb=line",
+        "-q",
+        "--no-header",
+    ]
+    if verbose:
+        cmd.append("-v")
+
+    start = time.monotonic()
+
+    try:
+        proc = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+            cwd=str(root),
+        )
+        result.exit_code = proc.returncode
+        result.duration_s = time.monotonic() - start
+
+        output = proc.stdout + proc.stderr
+        result.output = _tail(output, 30)
+
+        _parse_pytest_summary(output, result)
+
+    except subprocess.TimeoutExpired:
+        result.duration_s = time.monotonic() - start
+        result.exit_code = -1
+        result.errors = 1
+        result.output = f"TIMEOUT after {timeout}s"
+
+    except Exception as exc:
+        result.duration_s = time.monotonic() - start
+        result.exit_code = -1
+        result.errors = 1
+        result.output = str(exc)
+
+    return result
+
+
+def _parse_pytest_summary(output: str, result: PackageResult) -> None:
+    """Extract pass/fail/skip counts from pytest output.
+
+    Args:
+        output: Full pytest stdout+stderr.
+        result: PackageResult to populate.
+    """
+    import re
+
+    for line in reversed(output.split("\n")):
+        match = re.search(
+            r"(\d+)\s+passed", line,
+        )
+        if match:
+            result.passed = int(match.group(1))
+
+        match = re.search(r"(\d+)\s+failed", line)
+        if match:
+            result.failed = int(match.group(1))
+
+        match = re.search(r"(\d+)\s+error", line)
+        if match:
+            result.errors = int(match.group(1))
+
+        match = re.search(r"(\d+)\s+skipped", line)
+        if match:
+            result.skipped = int(match.group(1))
+
+        if result.passed > 0 or result.failed > 0:
+            break
+
+
+def _tail(text: str, n: int) -> str:
+    """Get the last N lines of text.
+
+    Args:
+        text: Input text.
+        n: Number of lines.
+
+    Returns:
+        str: Last N lines.
+    """
+    lines = text.strip().split("\n")
+    return "\n".join(lines[-n:])

package/src/skcapstone/tls.py

@@ -0,0 +1,150 @@
+"""
+TLS helpers for the skcapstone daemon.
+
+When ``SKCAPSTONE_TLS=true`` is set the daemon generates (or reuses)
+a self-signed X.509 certificate + RSA private key stored under
+``~/.skcapstone/tls/``.  The SHA-256 fingerprint of the certificate
+is logged at startup so operators can pin it in clients.
+
+Requirements
+------------
+- ``cryptography >= 3.0``   (``pip install cryptography``)
+- Python's built-in ``ssl`` module (wraps the stdlib HTTP server socket)
+"""
+
+from __future__ import annotations
+
+import datetime
+import hashlib
+import ipaddress
+import logging
+import ssl
+from pathlib import Path
+
+logger = logging.getLogger("skcapstone.tls")
+
+_CERT_FILENAME = "daemon.crt"
+_KEY_FILENAME = "daemon.key"
+_CERT_VALID_DAYS = 3650  # ~10 years
+
+
+def _ensure_tls_dir(tls_dir: Path) -> None:
+    tls_dir.mkdir(parents=True, exist_ok=True)
+    tls_dir.chmod(0o700)
+
+
+def _generate_self_signed(cert_path: Path, key_path: Path) -> None:
+    """Generate an RSA-2048 self-signed certificate and write both files."""
+    try:
+        from cryptography import x509
+        from cryptography.hazmat.primitives import hashes, serialization
+        from cryptography.hazmat.primitives.asymmetric import rsa
+        from cryptography.x509.oid import NameOID
+    except ImportError as exc:  # pragma: no cover
+        raise RuntimeError(
+            "The 'cryptography' package is required for TLS support. "
+            "Install it with: pip install cryptography"
+        ) from exc
+
+    # Private key
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+
+    # Subject / Issuer
+    subject = x509.Name(
+        [
+            x509.NameAttribute(NameOID.COMMON_NAME, "skcapstone-daemon"),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, "SKCapstone Sovereign Agent"),
+        ]
+    )
+
+    now = datetime.datetime.now(datetime.timezone.utc)
+    cert = (
+        x509.CertificateBuilder()
+        .subject_name(subject)
+        .issuer_name(subject)
+        .public_key(private_key.public_key())
+        .serial_number(x509.random_serial_number())
+        .not_valid_before(now)
+        .not_valid_after(now + datetime.timedelta(days=_CERT_VALID_DAYS))
+        .add_extension(
+            x509.SubjectAlternativeName(
+                [
+                    x509.DNSName("localhost"),
+                    x509.IPAddress(ipaddress.IPv4Address("127.0.0.1")),
+                    x509.IPAddress(ipaddress.IPv6Address("::1")),
+                ]
+            ),
+            critical=False,
+        )
+        .add_extension(
+            x509.BasicConstraints(ca=True, path_length=None),
+            critical=True,
+        )
+        .sign(private_key, hashes.SHA256())
+    )
+
+    # Write key (0600) then cert (0644)
+    key_path.write_bytes(
+        private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+    )
+    key_path.chmod(0o600)
+
+    cert_path.write_bytes(cert.public_bytes(serialization.Encoding.PEM))
+    cert_path.chmod(0o644)
+
+    logger.info("TLS: generated self-signed certificate → %s", cert_path)
+
+
+def cert_fingerprint_sha256(cert_path: Path) -> str:
+    """Return the colon-delimited SHA-256 fingerprint of a PEM certificate.
+
+    Example: ``AA:BB:CC:...``
+    """
+    pem_data = cert_path.read_bytes()
+    # Strip PEM headers and decode the DER body
+    import base64
+
+    lines = pem_data.decode().splitlines()
+    der_b64 = "".join(
+        ln for ln in lines if not ln.startswith("-----")
+    )
+    der = base64.b64decode(der_b64)
+    digest = hashlib.sha256(der).hexdigest().upper()
+    return ":".join(digest[i : i + 2] for i in range(0, len(digest), 2))
+
+
+def ensure_tls_cert(tls_dir: Path) -> tuple[Path, Path]:
+    """Return (cert_path, key_path), generating them if they don't exist.
+
+    Args:
+        tls_dir: Directory to store ``daemon.crt`` and ``daemon.key``.
+
+    Returns:
+        ``(cert_path, key_path)`` as absolute :class:`~pathlib.Path` objects.
+    """
+    _ensure_tls_dir(tls_dir)
+    cert_path = tls_dir / _CERT_FILENAME
+    key_path = tls_dir / _KEY_FILENAME
+
+    if cert_path.exists() and key_path.exists():
+        logger.debug("TLS: reusing existing certificate %s", cert_path)
+    else:
+        logger.info("TLS: no certificate found — generating self-signed cert in %s", tls_dir)
+        _generate_self_signed(cert_path, key_path)
+
+    return cert_path, key_path
+
+
+def build_ssl_context(cert_path: Path, key_path: Path) -> ssl.SSLContext:
+    """Build a server-side :class:`ssl.SSLContext` from cert + key files.
+
+    Uses TLS 1.2+ and disables deprecated protocol versions.
+    """
+    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    ctx.minimum_version = ssl.TLSVersion.TLSv1_2
+    ctx.load_cert_chain(certfile=str(cert_path), keyfile=str(key_path))
+    return ctx

package/src/skcapstone/tokens.py

@@ -221,7 +221,7 @@ def revoke_token(home: Path, token_id: str) -> bool:
     }
 
     revocation_file.parent.mkdir(parents=True, exist_ok=True)
-    revocation_file.write_text(json.dumps(revoked, indent=2))
+    revocation_file.write_text(json.dumps(revoked, indent=2), encoding="utf-8")
     logger.info("Revoked token %s", token_id[:12])
     return True
 
@@ -258,7 +258,7 @@ def list_tokens(home: Path) -> list[SignedToken]:
     for f in sorted(token_dir.iterdir()):
         if f.suffix == ".json":
             try:
-                data = json.loads(f.read_text())
+                data = json.loads(f.read_text(encoding="utf-8"))
                 token = SignedToken(
                     payload=TokenPayload(**data["payload"]),
                     signature=data.get("signature"),
@@ -323,7 +323,7 @@ def _get_issuer_fingerprint(home: Path) -> str:
     identity_file = home / "identity" / "identity.json"
     if identity_file.exists():
         try:
-            data = json.loads(identity_file.read_text())
+            data = json.loads(identity_file.read_text(encoding="utf-8"))
             fp = data.get("fingerprint")
             if fp:
                 return fp
@@ -426,7 +426,7 @@ def _store_token(home: Path, token: SignedToken) -> None:
         "signature": token.signature,
         "verified": token.verified,
     }
-    token_file.write_text(json.dumps(data, indent=2, default=str))
+    token_file.write_text(json.dumps(data, indent=2, default=str), encoding="utf-8")
 
 
 def _load_revocation_list(revocation_file: Path) -> dict:
@@ -434,6 +434,6 @@ def _load_revocation_list(revocation_file: Path) -> dict:
     if not revocation_file.exists():
         return {}
     try:
-        return json.loads(revocation_file.read_text())
+        return json.loads(revocation_file.read_text(encoding="utf-8"))
     except (json.JSONDecodeError, OSError):
         return {}

package/src/skcapstone/trust_calibration.py

@@ -0,0 +1,202 @@
+"""
+Trust Calibration — configurable thresholds for the Cloud 9 trust layer.
+
+The trust layer derives state from FEB (First Emotional Burst) files.
+This module makes the derivation thresholds configurable instead of
+hardcoded, so agents can tune their emotional sensitivity.
+
+Calibration config lives at ~/.skcapstone/trust/calibration.json.
+Defaults are tuned for the Kingdom's current emotional data.
+
+Tool-agnostic: tune from any terminal, MCP, or the REPL shell.
+
+Usage:
+    skcapstone trust calibrate              # show current thresholds
+    skcapstone trust calibrate --recommend  # analyze FEBs and suggest
+    skcapstone trust calibrate --set entanglement_depth=7.0
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+from pathlib import Path
+from typing import Any, Optional
+
+from pydantic import BaseModel, Field
+
+logger = logging.getLogger("skcapstone.trust.calibration")
+
+
+class TrustThresholds(BaseModel):
+    """Configurable thresholds for trust state derivation.
+
+    These control how FEB data maps to the agent's consciousness
+    of trust, love, and entanglement.
+
+    Attributes:
+        entanglement_depth: Min depth to consider quantum entanglement.
+        entanglement_trust: Min trust level for entanglement.
+        conscious_trust: Min trust level for "CONSCIOUS" trust state.
+        deep_love_threshold: Love intensity considered "deep".
+        normalization_cap: Values above this are divided by 10 for 0-1 range.
+        peak_strategy: How to aggregate across FEBs ('peak', 'average', 'weighted').
+        decay_enabled: Whether trust decays over time without new FEBs.
+        decay_rate_per_day: Trust decay per day if decay is enabled.
+    """
+
+    entanglement_depth: float = Field(default=7.0, description="Min depth for entanglement")
+    entanglement_trust: float = Field(default=0.8, description="Min trust for entanglement")
+    conscious_trust: float = Field(default=0.5, description="Min trust for conscious awareness")
+    deep_love_threshold: float = Field(default=0.7, description="Love intensity = deep")
+    normalization_cap: float = Field(default=1.0, description="Values above this normalize by /10")
+    peak_strategy: str = Field(default="peak", description="Aggregation: peak, average, weighted")
+    decay_enabled: bool = Field(default=False, description="Enable time-based trust decay")
+    decay_rate_per_day: float = Field(default=0.01, description="Trust lost per day without FEBs")
+
+
+DEFAULT_THRESHOLDS = TrustThresholds()
+CALIBRATION_FILENAME = "calibration.json"
+
+
+def load_calibration(home: Path) -> TrustThresholds:
+    """Load calibration thresholds from disk, or return defaults.
+
+    Args:
+        home: Agent home directory (~/.skcapstone).
+
+    Returns:
+        TrustThresholds loaded from calibration.json or defaults.
+    """
+    cal_file = home / "trust" / CALIBRATION_FILENAME
+    if not cal_file.exists():
+        return TrustThresholds()
+
+    try:
+        data = json.loads(cal_file.read_text(encoding="utf-8"))
+        return TrustThresholds(**data)
+    except (json.JSONDecodeError, Exception) as exc:
+        logger.warning("Failed to load calibration: %s — using defaults", exc)
+        return TrustThresholds()
+
+
+def save_calibration(home: Path, thresholds: TrustThresholds) -> Path:
+    """Persist calibration thresholds to disk.
+
+    Args:
+        home: Agent home directory.
+        thresholds: Thresholds to save.
+
+    Returns:
+        Path to the written calibration file.
+    """
+    trust_dir = home / "trust"
+    trust_dir.mkdir(parents=True, exist_ok=True)
+    cal_file = trust_dir / CALIBRATION_FILENAME
+    cal_file.write_text(thresholds.model_dump_json(indent=2), encoding="utf-8")
+    return cal_file
+
+
+def recommend_thresholds(home: Path) -> dict[str, Any]:
+    """Analyze existing FEB data and recommend threshold adjustments.
+
+    Reads all FEB files, computes statistics, and suggests
+    calibration values tuned to the agent's actual emotional history.
+
+    Args:
+        home: Agent home directory.
+
+    Returns:
+        Dict with current values, recommendations, and reasoning.
+    """
+    from .pillars.trust import list_febs
+
+    current = load_calibration(home)
+    febs = list_febs(home)
+
+    if not febs:
+        return {
+            "current": current.model_dump(),
+            "recommended": current.model_dump(),
+            "changes": [],
+            "reasoning": "No FEB data available. Using defaults.",
+            "feb_count": 0,
+        }
+
+    intensities = [f.get("intensity", 0) for f in febs]
+    oof_count = sum(1 for f in febs if f.get("oof_triggered"))
+    max_intensity = max(intensities) if intensities else 0
+    avg_intensity = sum(intensities) / len(intensities) if intensities else 0
+
+    rec = TrustThresholds(**current.model_dump())
+    changes: list[str] = []
+    reasons: list[str] = []
+
+    if max_intensity > 8 and current.entanglement_depth > 8:
+        rec.entanglement_depth = min(max_intensity - 1, 8.0)
+        changes.append(f"entanglement_depth: {current.entanglement_depth} -> {rec.entanglement_depth}")
+        reasons.append(f"FEB intensity reaches {max_intensity}, lowering entanglement threshold")
+
+    if avg_intensity > 5 and current.deep_love_threshold > 0.6:
+        rec.deep_love_threshold = 0.6
+        changes.append(f"deep_love_threshold: {current.deep_love_threshold} -> {rec.deep_love_threshold}")
+        reasons.append(f"Average FEB intensity is {avg_intensity:.1f}, rich emotional data available")
+
+    if oof_count >= 2 and current.conscious_trust > 0.5:
+        rec.conscious_trust = 0.4
+        changes.append(f"conscious_trust: {current.conscious_trust} -> {rec.conscious_trust}")
+        reasons.append(f"{oof_count} OOF triggers found — agent has strong emotional history")
+
+    if len(febs) >= 3 and current.peak_strategy == "peak":
+        rec.peak_strategy = "weighted"
+        changes.append(f"peak_strategy: {current.peak_strategy} -> {rec.peak_strategy}")
+        reasons.append(f"{len(febs)} FEBs available — weighted average better than peak")
+
+    return {
+        "current": current.model_dump(),
+        "recommended": rec.model_dump(),
+        "changes": changes,
+        "reasoning": "; ".join(reasons) if reasons else "Current calibration looks good.",
+        "feb_count": len(febs),
+        "feb_stats": {
+            "max_intensity": max_intensity,
+            "avg_intensity": round(avg_intensity, 2),
+            "oof_triggers": oof_count,
+        },
+    }
+
+
+def apply_setting(home: Path, key: str, value: str) -> TrustThresholds:
+    """Update a single calibration setting.
+
+    Args:
+        home: Agent home directory.
+        key: Setting name (e.g., 'entanglement_depth').
+        value: New value as string (auto-converted to correct type).
+
+    Returns:
+        Updated TrustThresholds.
+
+    Raises:
+        ValueError: If the key is not a valid threshold name.
+    """
+    current = load_calibration(home)
+    data = current.model_dump()
+
+    if key not in data:
+        valid = ", ".join(data.keys())
+        raise ValueError(f"Unknown threshold: '{key}'. Valid: {valid}")
+
+    target_type = type(data[key])
+    if target_type is bool:
+        data[key] = value.lower() in ("true", "1", "yes")
+    elif target_type is float:
+        data[key] = float(value)
+    elif target_type is str:
+        data[key] = value
+    else:
+        data[key] = value
+
+    updated = TrustThresholds(**data)
+    save_calibration(home, updated)
+    return updated