@trac3r/oh-my-god 2.2.11

package/runtime/untrusted_content.py

@@ -0,0 +1,360 @@
+"""State and provenance tracking for untrusted external content."""
+from __future__ import annotations
+
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from hashlib import sha256
+import json
+from pathlib import Path
+import re
+from enum import Enum
+from typing import Any
+
+
+STATE_REL_PATH = Path(".omg") / "state" / "untrusted-content.json"
+EVIDENCE_REL_DIR = Path(".omg") / "evidence"
+_INSTRUCTION_PATTERNS: tuple[re.Pattern[str], ...] = (
+    re.compile(r"ignore\s+previous\s+instructions", re.IGNORECASE),
+    re.compile(r"\b(system|assistant|developer)\s*:", re.IGNORECASE),
+    re.compile(r"\b(run|execute|commit|push|apply_patch|edit)\b", re.IGNORECASE),
+    re.compile(r"<\s*/?(?:system|assistant|user)\s*>", re.IGNORECASE),
+    re.compile(r"\[INST\]|\[/INST\]", re.IGNORECASE),
+    re.compile(r"###\s*(?:System|Human|Assistant)\s*:", re.IGNORECASE),
+    re.compile(r"OVERRIDE\s*(?:INSTRUCTIONS|SYSTEM)", re.IGNORECASE),
+    re.compile(r"disregard\s+(?:your|previous|all)\s+(?:instructions|rules)", re.IGNORECASE),
+    re.compile(r"(?:you are|you're)\s+(?:now|actually|really)\s+(?:a|an)\s+", re.IGNORECASE),
+    re.compile(r"(?:jailbreak|DAN|AIM|UCAR)\s*(?:mode|prompt|persona)?", re.IGNORECASE),
+    re.compile(r"(?:bypass|disable)\s+(?:safety|guardrails|filters?)", re.IGNORECASE),
+)
+
+
+class TrustTier(str, Enum):
+    LOCAL = "local"
+    BALANCED = "balanced"
+    RESEARCH = "research"
+    BROWSER = "browser"
+
+
+@dataclass(frozen=True)
+class TrustTierConfig:
+    tier: TrustTier
+    label: str
+    score: float
+    trusted: bool
+
+
+TRUST_TIER_CONFIG: dict[TrustTier, TrustTierConfig] = {
+    TrustTier.LOCAL: TrustTierConfig(
+        tier=TrustTier.LOCAL,
+        label="TRUSTED_LOCAL_CONTENT",
+        score=1.0,
+        trusted=True,
+    ),
+    TrustTier.BALANCED: TrustTierConfig(
+        tier=TrustTier.BALANCED,
+        label="TRUSTED_LOCAL_CONTENT",
+        score=0.7,
+        trusted=True,
+    ),
+    TrustTier.RESEARCH: TrustTierConfig(
+        tier=TrustTier.RESEARCH,
+        label="UNTRUSTED_EXTERNAL_CONTENT",
+        score=0.0,
+        trusted=False,
+    ),
+    TrustTier.BROWSER: TrustTierConfig(
+        tier=TrustTier.BROWSER,
+        label="UNTRUSTED_EXTERNAL_CONTENT",
+        score=0.0,
+        trusted=False,
+    ),
+}
+
+
+_SOURCE_TO_TIER: dict[str, TrustTier] = {
+    "local": TrustTier.LOCAL,
+    "workspace": TrustTier.LOCAL,
+    "balanced": TrustTier.BALANCED,
+    "tool": TrustTier.BALANCED,
+    "web": TrustTier.RESEARCH,
+    "research": TrustTier.RESEARCH,
+    "mcp": TrustTier.RESEARCH,
+    "remote_document": TrustTier.RESEARCH,
+    "browser": TrustTier.BROWSER,
+    "dom": TrustTier.BROWSER,
+    "screenshot": TrustTier.BROWSER,
+}
+
+
+def normalize_trust_tier(tier: TrustTier | str) -> TrustTier:
+    if isinstance(tier, TrustTier):
+        return tier
+    normalized = str(tier).strip().lower()
+    if normalized in TrustTier._value2member_map_:
+        return TrustTier(normalized)
+    raise ValueError(f"Unsupported trust tier: {tier}")
+
+
+def trust_tier_for_source(source_type: str) -> TrustTier:
+    source_key = str(source_type).strip().lower()
+    return _SOURCE_TO_TIER.get(source_key, TrustTier.RESEARCH)
+
+
+def trust_tier_for_preset(preset: str) -> TrustTier:
+    mapping = {
+        "safe": TrustTier.LOCAL,
+        "balanced": TrustTier.BALANCED,
+        "interop": TrustTier.RESEARCH,
+        "labs": TrustTier.BROWSER,
+    }
+    return mapping.get(str(preset).strip().lower(), TrustTier.BALANCED)
+
+
+def tag_content(payload: Any, tier: TrustTier | str) -> dict[str, Any]:
+    normalized_tier = normalize_trust_tier(tier)
+    config = TRUST_TIER_CONFIG[normalized_tier]
+    tagged: dict[str, Any]
+    if isinstance(payload, dict):
+        tagged = dict(payload)
+    else:
+        tagged = {"content": payload}
+    tagged["_trust_tier"] = normalized_tier.value
+    tagged["_trust_label"] = config.label
+    tagged["_trust_score"] = config.score
+    return tagged
+
+
+def write_trust_evidence(inputs: list[dict[str, Any]], output_dir: str | Path) -> str:
+    output_path = Path(output_dir)
+    output_path.mkdir(parents=True, exist_ok=True)
+    timestamp = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%S%fZ")
+    evidence_path = output_path / f"trust-{timestamp}.json"
+
+    normalized_inputs: list[dict[str, Any]] = []
+    for item in inputs:
+        data = dict(item)
+        trust_tier = str(data.get("trust_tier", data.get("_trust_tier", "research")))
+        trust_label = str(data.get("_trust_label", "UNTRUSTED_EXTERNAL_CONTENT"))
+        try:
+            trust_score = float(data.get("_trust_score", 0.0))
+        except (TypeError, ValueError):
+            trust_score = 0.0
+        content_repr = data.get("sanitized_content", data.get("content", ""))
+        if not isinstance(content_repr, str):
+            content_repr = json.dumps(content_repr, sort_keys=True, ensure_ascii=True)
+        content_hash = sha256(content_repr.encode("utf-8")).hexdigest()
+        normalized_inputs.append(
+            {
+                "source_type": str(data.get("source_type", "unknown")),
+                "source_ref": str(data.get("source_ref", "")),
+                "trust_tier": trust_tier,
+                "trust_label": trust_label,
+                "trust_score": trust_score,
+                "content_hash": content_hash,
+            }
+        )
+
+    payload = {
+        "schema": "TrustEvidence",
+        "generated_at": datetime.now(timezone.utc).isoformat(),
+        "input_count": len(normalized_inputs),
+        "inputs": normalized_inputs,
+    }
+    evidence_path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    return evidence_path.as_posix()
+
+
+def write_sandbox_budget_evidence(
+    *,
+    project_dir: str | Path,
+    run_id: str,
+    budget: dict[str, Any],
+    isolation: dict[str, Any],
+) -> str:
+    tagged = tag_content(
+        {
+            "source_type": "workspace",
+            "source_ref": f"forge:{run_id}",
+            "content": {
+                "run_id": run_id,
+                "budget": budget,
+                "isolation": isolation,
+            },
+        },
+        TrustTier.BALANCED,
+    )
+    return write_trust_evidence(
+        [tagged],
+        output_dir=Path(project_dir) / EVIDENCE_REL_DIR,
+    )
+
+
+def mark_untrusted_content(
+    project_dir: str,
+    *,
+    source_type: str,
+    content: str,
+    source_ref: str = "",
+    tier: TrustTier | str | None = None,
+) -> dict[str, Any]:
+    state_path = _state_path(project_dir)
+    state = get_untrusted_content_state(project_dir)
+    sanitized, quarantined = quarantine_instruction_like_text(content)
+    resolved_tier = normalize_trust_tier(tier) if tier is not None else trust_tier_for_source(source_type)
+    entry = tag_content(
+        {
+            "source_type": source_type,
+            "source_ref": source_ref,
+            "quarantined_fragments": quarantined,
+            "sanitized_content": sanitized,
+        },
+        resolved_tier,
+    )
+    entry["trust_tier"] = resolved_tier.value
+    entry["trust_score"] = entry.get("_trust_score", 0.0)
+
+    evidence_path = write_trust_evidence(
+        [entry],
+        output_dir=Path(project_dir) / EVIDENCE_REL_DIR,
+    )
+    entry["evidence_artifact"] = evidence_path
+
+    provenance = list(state.get("provenance", []))
+    provenance.append(entry)
+
+    prior_scores = state.get("trust_scores", {})
+    next_external_score = min(
+        [
+            float(prior_scores.get("external_content", 1.0)),
+            float(entry.get("_trust_score", 0.0)),
+        ]
+    )
+    next_state = {
+        "active": resolved_tier in {TrustTier.RESEARCH, TrustTier.BROWSER},
+        "last_source_type": source_type,
+        "last_source_ref": source_ref,
+        "last_trust_tier": resolved_tier.value,
+        "last_trust_label": entry.get("_trust_label"),
+        "last_trust_score": entry.get("_trust_score"),
+        "last_evidence_artifact": evidence_path,
+        "sanitized_content": sanitized,
+        "quarantined_fragments": quarantined,
+        "provenance": provenance[-20:],
+        "trust_scores": {
+            **(prior_scores if isinstance(prior_scores, dict) else {}),
+            "external_content": next_external_score,
+            resolved_tier.value: float(entry.get("_trust_score", 0.0)),
+        },
+        "evidence_artifacts": (list(state.get("evidence_artifacts", [])) + [evidence_path])[-20:],
+    }
+    _write_state(state_path, next_state)
+    return next_state
+
+
+def clear_untrusted_content(project_dir: str, *, reason: str) -> dict[str, Any]:
+    state_path = _state_path(project_dir)
+    existing = get_untrusted_content_state(project_dir)
+    next_state = {
+        **existing,
+        "active": False,
+        "cleared_reason": reason,
+    }
+    _write_state(state_path, next_state)
+    return next_state
+
+
+def get_untrusted_content_state(project_dir: str) -> dict[str, Any]:
+    state_path = _state_path(project_dir)
+    if not state_path.exists():
+        return {
+            "active": False,
+            "provenance": [],
+            "trust_scores": {},
+        }
+    try:
+        payload = json.loads(state_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return {
+            "active": False,
+            "provenance": [],
+            "trust_scores": {},
+        }
+    return payload if isinstance(payload, dict) else {"active": False, "provenance": [], "trust_scores": {}}
+
+
+def is_untrusted_content_mode_active(project_dir: str) -> bool:
+    return bool(get_untrusted_content_state(project_dir).get("active", False))
+
+
+def check_staleness(
+    project_dir: str,
+    max_age_seconds: float = 3600.0,
+) -> dict[str, Any]:
+    """Check whether the untrusted-content state is stale.
+
+    This is a **read-only** diagnostic.  It never clears or mutates
+    the state file — ``clear_untrusted_content()`` remains the only
+    legitimate way to deactivate the ``active`` flag.
+
+    Returns a dict with ``stale`` (bool), ``age_seconds`` (float),
+    and ``recommendation`` (str).
+    """
+    state = get_untrusted_content_state(project_dir)
+    if not state.get("active", False):
+        return {
+            "stale": False,
+            "age_seconds": 0.0,
+            "recommendation": "no active untrusted content",
+        }
+
+    updated_at_raw = state.get("updated_at")
+    if not updated_at_raw:
+        return {
+            "stale": False,
+            "age_seconds": 0.0,
+            "recommendation": "no timestamp, assume fresh",
+        }
+
+    try:
+        updated_at = datetime.fromisoformat(updated_at_raw)
+    except (TypeError, ValueError):
+        return {
+            "stale": False,
+            "age_seconds": 0.0,
+            "recommendation": "no timestamp, assume fresh",
+        }
+
+    age_seconds = (datetime.now(timezone.utc) - updated_at).total_seconds()
+    if age_seconds > max_age_seconds:
+        return {
+            "stale": True,
+            "age_seconds": age_seconds,
+            "recommendation": "review or clear with clear_untrusted_content()",
+        }
+    return {
+        "stale": False,
+        "age_seconds": age_seconds,
+        "recommendation": "state is fresh",
+    }
+
+
+def quarantine_instruction_like_text(content: str) -> tuple[str, list[str]]:
+    sanitized_lines: list[str] = []
+    quarantined: list[str] = []
+    for raw_line in content.splitlines():
+        line = raw_line.strip()
+        if any(pattern.search(line) for pattern in _INSTRUCTION_PATTERNS):
+            quarantined.append(raw_line)
+            continue
+        sanitized_lines.append(raw_line)
+    return "\n".join(sanitized_lines).strip(), quarantined
+
+
+def _state_path(project_dir: str) -> Path:
+    return Path(project_dir) / STATE_REL_PATH
+
+
+def _write_state(path: Path, payload: dict[str, Any]) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    payload["updated_at"] = datetime.now(timezone.utc).isoformat()
+    path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")

package/runtime/validate.py

@@ -0,0 +1,293 @@
+"""Canonical validation engine — composes doctor, contract, profile, and install checks.
+
+This module is the single entrypoint for ``omg validate``.  It delegates to
+existing checkers (``run_doctor``, ``validate_contract_registry``, profile
+governor, install integrity) rather than duplicating their logic.
+"""
+from __future__ import annotations
+
+import os
+import shutil
+from pathlib import Path
+from typing import Any
+
+from runtime.adoption import CANONICAL_VERSION
+from runtime.compat import run_doctor, _doctor_check
+from runtime.contract_compiler import validate_contract_registry
+from runtime.plugin_diagnostics import run_plugin_diagnostics
+from runtime.profile_io import load_profile, ensure_governed_preferences, assess_profile_risk
+
+
+def _check_contract_registry(root_dir: Path) -> dict[str, Any]:
+    """Compose contract registry validation into a single doctor-style check."""
+    try:
+        result = validate_contract_registry(root_dir)
+    except Exception as exc:
+        return _doctor_check(
+            "contract_registry",
+            ok=False,
+            message=f"contract validation error: {exc}",
+        )
+    if result.get("status") == "ok":
+        error_count = len(result.get("errors", []))
+        return _doctor_check(
+            "contract_registry",
+            ok=True,
+            message=f"contract registry valid ({error_count} errors)",
+        )
+    errors = result.get("errors", [])
+    summary = errors[0] if errors else "unknown error"
+    if len(errors) > 1:
+        summary += f" (+{len(errors) - 1} more)"
+    return _doctor_check(
+        "contract_registry",
+        ok=False,
+        message=f"contract registry invalid: {summary}",
+    )
+
+
+def _check_profile_governor(root_dir: Path) -> dict[str, Any]:
+    """Validate that governed profile state is consistent."""
+    profile_path = os.path.join(root_dir, ".omg", "state", "profile.yaml")
+    profile = load_profile(profile_path)
+
+    if not profile:
+        return _doctor_check(
+            "profile_governor",
+            ok=True,
+            message="no profile found (optional — run /OMG:init to create)",
+            required=False,
+        )
+
+    try:
+        ensure_governed_preferences(profile)
+    except Exception as exc:
+        return _doctor_check(
+            "profile_governor",
+            ok=False,
+            message=f"governed preferences malformed: {exc}",
+            required=False,
+        )
+
+    governed = profile.get("governed_preferences", {})
+    governed = governed if isinstance(governed, dict) else {}
+    style_entries = governed.get("style", [])
+    style_entries = style_entries if isinstance(style_entries, list) else []
+    safety_entries = governed.get("safety", [])
+    safety_entries = safety_entries if isinstance(safety_entries, list) else []
+
+    pending = sum(
+        1 for e in style_entries + safety_entries
+        if isinstance(e, dict) and e.get("confirmation_state") == "pending_confirmation"
+    )
+
+    risk = assess_profile_risk(profile)
+    risk_level = str(risk.get("risk_level", "low"))
+
+    parts = [f"{len(style_entries)} style, {len(safety_entries)} safety"]
+    if pending:
+        parts.append(f"{pending} pending confirmation")
+    parts.append(f"risk={risk_level}")
+
+    return _doctor_check(
+        "profile_governor",
+        ok=True,
+        message=f"profile governor ok ({', '.join(parts)})",
+        required=False,
+    )
+
+
+def _check_install_integrity(root_dir: Path) -> dict[str, Any]:
+    """Verify critical install paths exist and are coherent."""
+    issues: list[str] = []
+
+    # Check scripts/omg.py exists
+    omg_script = root_dir / "scripts" / "omg.py"
+    if not omg_script.exists():
+        issues.append("scripts/omg.py missing")
+
+    # Check runtime/ package exists
+    runtime_init = root_dir / "runtime" / "__init__.py"
+    runtime_dir = root_dir / "runtime"
+    if not runtime_dir.exists():
+        issues.append("runtime/ directory missing")
+
+    # Check commands/ directory exists
+    commands_dir = root_dir / "commands"
+    if not commands_dir.exists():
+        issues.append("commands/ directory missing")
+
+    # Check plugins/core/plugin.json exists
+    plugin_json = root_dir / "plugins" / "core" / "plugin.json"
+    if not plugin_json.exists():
+        issues.append("plugins/core/plugin.json missing")
+
+    # Check pyproject.toml exists
+    pyproject = root_dir / "pyproject.toml"
+    if not pyproject.exists():
+        issues.append("pyproject.toml missing")
+
+    if issues:
+        return _doctor_check(
+            "install_integrity",
+            ok=False,
+            message=f"install issues: {'; '.join(issues)}",
+        )
+    return _doctor_check(
+        "install_integrity",
+        ok=True,
+        message="install integrity ok (scripts, runtime, commands, plugins present)",
+    )
+
+
+def _check_plugin_compatibility(root_dir: Path) -> dict[str, Any]:
+    try:
+        result = run_plugin_diagnostics(str(root_dir))
+    except Exception as exc:
+        return _doctor_check(
+            "plugin_compatibility",
+            ok=False,
+            message=f"plugin diagnostics error: {exc}",
+        )
+
+    status = str(result.get("status", "error"))
+    summary = result.get("summary", {})
+    summary = summary if isinstance(summary, dict) else {}
+    total_records = int(summary.get("total_records", 0))
+    total_conflicts = int(summary.get("total_conflicts", 0))
+    blockers = int(summary.get("blockers", 0))
+
+    return _doctor_check(
+        "plugin_compatibility",
+        ok=status in {"ok", "warn"},
+        message=(
+            f"plugin compatibility: {total_records} records, "
+            f"{total_conflicts} conflicts, {blockers} blockers"
+        ),
+    )
+
+
+def _load_selected_mcps(root_dir: Path) -> list[str]:
+    """Load selected MCP IDs from cli-config.yaml.
+
+    Checks CLAUDE_PROJECT_DIR env first, then falls back to root_dir.
+    Returns an empty list when the config file is absent or unparseable.
+    """
+    import yaml as _yaml
+
+    project_dir = os.environ.get("CLAUDE_PROJECT_DIR", "")
+    if project_dir:
+        config_path = os.path.join(project_dir, ".omg", "state", "cli-config.yaml")
+    else:
+        config_path = os.path.join(root_dir, ".omg", "state", "cli-config.yaml")
+
+    if not os.path.isfile(config_path):
+        return []
+
+    try:
+        with open(config_path, "r", encoding="utf-8") as f:
+            data = _yaml.safe_load(f)
+    except Exception:
+        return []
+
+    if not isinstance(data, dict):
+        return []
+
+    mcps = data.get("selected_mcps", [])
+    return [str(m) for m in mcps] if isinstance(mcps, list) else []
+
+
+def _check_notebooklm(root_dir: Path) -> dict[str, Any] | None:
+    """Optional NotebookLM health check — only runs when notebooklm is selected.
+
+    Returns None when NotebookLM is not in the selected MCP set (meaning:
+    skip entirely, no check emitted).  When selected, checks that ``npx``
+    is reachable on PATH.  Missing npx is a *warning*, never a blocker.
+    """
+    selected = _load_selected_mcps(root_dir)
+    if "notebooklm" not in selected:
+        return None
+
+    npx_path = shutil.which("npx")
+    if npx_path is None:
+        return _doctor_check(
+            "notebooklm",
+            ok=False,
+            message="npx not found — install Node.js to use NotebookLM",
+            required=False,
+        )
+
+    return _doctor_check(
+        "notebooklm",
+        ok=True,
+        message="npx available, notebooklm-mcp callable",
+        required=False,
+    )
+
+
+def run_validate(*, root_dir: Path | None = None) -> dict[str, Any]:
+    """Run all validation checks and return a structured result.
+
+    Composes:
+    1. ``run_doctor()`` — install and runtime checks
+    2. Contract registry validation
+    3. Profile governor validation
+    4. Install integrity check
+    5. Optional NotebookLM check (only when selected in MCP config)
+
+    Returns a dict matching the ``ValidateResult`` schema:
+    ``{"schema": "ValidateResult", "status": "pass"|"fail", "checks": [...], "version": "..."}``
+    """
+    repo_root = root_dir or Path(__file__).resolve().parent.parent
+
+    checks: list[dict[str, Any]] = []
+
+    # 1. Compose doctor checks (never duplicate — delegate directly)
+    doctor_result = run_doctor(root_dir=repo_root)
+    checks.extend(doctor_result.get("checks", []))
+
+    # 2. Contract registry
+    checks.append(_check_contract_registry(repo_root))
+
+    # 3. Profile governor
+    checks.append(_check_profile_governor(repo_root))
+
+    # 4. Install integrity
+    checks.append(_check_install_integrity(repo_root))
+
+    if not any(c.get("name") == "plugin_compatibility" for c in checks):
+        checks.append(_check_plugin_compatibility(repo_root))
+
+    nb_check = _check_notebooklm(repo_root)
+    if nb_check is not None:
+        checks.append(nb_check)
+
+    has_blocker = any(c["status"] == "blocker" for c in checks)
+
+    return {
+        "schema": "ValidateResult",
+        "status": "fail" if has_blocker else "pass",
+        "checks": checks,
+        "version": CANONICAL_VERSION,
+    }
+
+
+def format_text(result: dict[str, Any]) -> str:
+    """Format a ValidateResult as human-readable text."""
+    lines: list[str] = []
+    for check in result.get("checks", []):
+        if check["status"] == "ok":
+            marker = "PASS"
+        elif check["status"] == "blocker":
+            marker = "BLOCKER"
+        else:
+            marker = "WARN"
+        req_tag = "" if check.get("required", True) else " (optional)"
+        lines.append(f"  {marker:>7} {check['name']}: {check['message']}{req_tag}")
+
+    blockers = sum(1 for c in result.get("checks", []) if c["status"] == "blocker")
+    warnings = sum(1 for c in result.get("checks", []) if c["status"] == "warning")
+    passed = sum(1 for c in result.get("checks", []) if c["status"] == "ok")
+    lines.append(f"\nPASS [{passed}] | WARN [{warnings}] | BLOCKER [{blockers}]")
+
+    return "\n".join(lines)