delimit-cli 2.3.2 → 3.0.0

package/gateway/tasks/check_policy.py

@@ -0,0 +1,177 @@
+import yaml
+from typing import Dict, List, Any
+from core.registry import task_registry
+from schemas.base import TaskRequest
+
+register_task = task_registry.register
+
+@register_task("check-policy", version="v1", description="Check API against policy rules")
+def check_policy_handler(request: TaskRequest) -> Dict[str, Any]:
+    """Validate API specification against organizational policies"""
+    
+    files = request.files
+    if not files:
+        raise ValueError("check-policy requires at least one API spec file")
+    
+    # Load policy from config or use defaults
+    policy = request.config.get("policy", get_default_policy())
+    if isinstance(policy, str):
+        # If policy is a file path, load it
+        policy = load_policy(policy)
+    
+    violations = []
+    warnings = []
+    passed_checks = []
+    
+    for file_path in files:
+        spec = load_spec(file_path)
+        
+        # Check various policy rules
+        violations_found, warnings_found, passed = check_spec_against_policy(spec, policy)
+        violations.extend(violations_found)
+        warnings.extend(warnings_found)
+        passed_checks.extend(passed)
+    
+    compliance_score = calculate_compliance_score(violations, warnings, passed_checks)
+    
+    return {
+        "compliant": len(violations) == 0,
+        "violations": violations,
+        "warnings": warnings,
+        "passed_checks": passed_checks,
+        "compliance_score": compliance_score,
+        "summary": {
+            "total_violations": len(violations),
+            "total_warnings": len(warnings),
+            "total_passed": len(passed_checks)
+        }
+    }
+
+def load_spec(file_path: str) -> Dict:
+    """Load API specification"""
+    with open(file_path, 'r') as f:
+        if file_path.endswith('.yaml') or file_path.endswith('.yml'):
+            return yaml.safe_load(f)
+        else:
+            import json
+            return json.load(f)
+
+def load_policy(policy_path: str) -> Dict:
+    """Load policy rules from file"""
+    with open(policy_path, 'r') as f:
+        return yaml.safe_load(f)
+
+def get_default_policy() -> Dict:
+    """Get default policy rules"""
+    return {
+        "rules": {
+            "require_version": True,
+            "require_description": True,
+            "require_auth": True,
+            "require_https": True,
+            "max_path_depth": 5,
+            "naming_convention": "kebab-case",
+            "require_response_codes": ["200", "400", "500"],
+            "require_request_validation": True
+        },
+        "severity": {
+            "require_version": "high",
+            "require_auth": "high",
+            "require_https": "high",
+            "require_description": "low",
+            "max_path_depth": "medium",
+            "naming_convention": "low"
+        }
+    }
+
+def check_spec_against_policy(spec: Dict, policy: Dict) -> tuple:
+    """Check specification against policy rules"""
+    violations = []
+    warnings = []
+    passed = []
+    
+    rules = policy.get("rules", {})
+    severity = policy.get("severity", {})
+    
+    # Check version requirement
+    if rules.get("require_version"):
+        if "openapi" in spec or "swagger" in spec:
+            passed.append("API version specified")
+        else:
+            violation = {
+                "rule": "require_version",
+                "message": "API specification must include version",
+                "severity": severity.get("require_version", "medium")
+            }
+            if violation["severity"] == "high":
+                violations.append(violation)
+            else:
+                warnings.append(violation["message"])
+    
+    # Check description
+    if rules.get("require_description"):
+        if spec.get("info", {}).get("description"):
+            passed.append("API description present")
+        else:
+            violation = {
+                "rule": "require_description",
+                "message": "API must have a description",
+                "severity": severity.get("require_description", "low")
+            }
+            warnings.append(violation["message"])
+    
+    # Check security/auth
+    if rules.get("require_auth"):
+        if spec.get("security") or spec.get("securityDefinitions") or spec.get("components", {}).get("securitySchemes"):
+            passed.append("Security definitions present")
+        else:
+            violations.append({
+                "rule": "require_auth",
+                "message": "API must define security schemes",
+                "severity": severity.get("require_auth", "high")
+            })
+    
+    # Check HTTPS requirement
+    if rules.get("require_https"):
+        servers = spec.get("servers", [])
+        if servers:
+            non_https = [s for s in servers if not s.get("url", "").startswith("https://")]
+            if non_https:
+                violations.append({
+                    "rule": "require_https",
+                    "message": f"All servers must use HTTPS. Found non-HTTPS: {len(non_https)}",
+                    "severity": severity.get("require_https", "high")
+                })
+            else:
+                passed.append("All servers use HTTPS")
+        else:
+            warnings.append("No servers defined to check HTTPS requirement")
+    
+    # Check path depth
+    max_depth = rules.get("max_path_depth", 5)
+    if "paths" in spec:
+        for path in spec["paths"]:
+            depth = len([p for p in path.split("/") if p])
+            if depth > max_depth:
+                warnings.append(f"Path exceeds max depth ({max_depth}): {path}")
+    
+    return violations, warnings, passed
+
+def calculate_compliance_score(violations: List, warnings: List, passed: List) -> int:
+    """Calculate compliance score (0-100)"""
+    total_checks = len(violations) + len(warnings) + len(passed)
+    if total_checks == 0:
+        return 100
+    
+    # High severity violations heavily impact score
+    high_violations = len([v for v in violations if v.get("severity") == "high"])
+    med_violations = len([v for v in violations if v.get("severity") == "medium"])
+    low_violations = len([v for v in violations if v.get("severity") == "low"])
+    
+    score = 100
+    score -= high_violations * 20
+    score -= med_violations * 10
+    score -= low_violations * 5
+    score -= len(warnings) * 2
+    
+    return max(0, score)

package/gateway/tasks/check_policy_v2.py

@@ -0,0 +1,255 @@
+"""
+Check Policy task with Evidence Contract - ONLY enforces implemented rules
+V12 Core Hardening
+"""
+
+import yaml
+import json
+from typing import Dict, List
+from pathlib import Path
+
+from core.registry_v2 import task_registry
+from schemas.requests import CheckPolicyRequest
+from schemas.evidence import (
+    PolicyComplianceEvidence, Decision, Violation, ViolationSeverity,
+    Evidence, Remediation
+)
+
+
+# ONLY rules we actually implement
+IMPLEMENTED_RULES = {
+    "require_openapi_version",
+    "require_info_description", 
+    "require_security_definition",
+    "require_https_only",
+    "max_path_depth"
+}
+
+
+@task_registry.register("check-policy", version="1.0", description="Check API against implemented policy rules")
+def check_policy_handler(request: CheckPolicyRequest) -> PolicyComplianceEvidence:
+    """Validate API spec against ACTUALLY IMPLEMENTED policy rules"""
+    
+    # Get policy - either from file, inline, or defaults
+    if request.policy_file:
+        policy = load_policy(request.policy_file)
+    elif request.policy_inline:
+        policy = request.policy_inline
+    else:
+        policy = get_default_policy()
+    
+    violations = []
+    evidence_list = []
+    checks_performed = 0
+    checks_passed = 0
+    
+    # Process each spec file
+    for spec_file in request.spec_files:
+        spec = load_spec(spec_file)
+        
+        # ONLY check rules we actually implement
+        for rule_name in IMPLEMENTED_RULES:
+            if not policy.get("rules", {}).get(rule_name, False):
+                continue  # Rule not enabled in policy
+            
+            checks_performed += 1
+            rule_passed, violation = check_rule(rule_name, spec, policy)
+            
+            if rule_passed:
+                checks_passed += 1
+                evidence_list.append(Evidence(
+                    rule=rule_name,
+                    passed=True,
+                    details={"file": spec_file, "status": "passed"}
+                ))
+            else:
+                violations.append(violation)
+                evidence_list.append(Evidence(
+                    rule=rule_name,
+                    passed=False,
+                    details={"file": spec_file, "reason": violation.message}
+                ))
+    
+    # Calculate compliance score
+    compliance_score = int((checks_passed / checks_performed * 100)) if checks_performed > 0 else 100
+    
+    # Determine decision
+    if violations:
+        high_severity = any(v.severity == ViolationSeverity.HIGH for v in violations)
+        if high_severity:
+            decision = Decision.FAIL
+            exit_code = 1
+        else:
+            decision = Decision.WARN
+            exit_code = 0
+    else:
+        decision = Decision.PASS
+        exit_code = 0
+    
+    # Build summary
+    if decision == Decision.PASS:
+        summary = f"Policy check passed: All {checks_performed} checks passed"
+    elif decision == Decision.WARN:
+        summary = f"Policy check passed with warnings: {len(violations)} low-severity issues"
+    else:
+        summary = f"Policy check failed: {len(violations)} violations found"
+    
+    # Build remediation
+    remediation = None
+    if violations:
+        steps = []
+        for v in violations[:3]:  # Show top 3 violations
+            if v.rule == "require_openapi_version":
+                steps.append("Add 'openapi' field with version (e.g., openapi: 3.0.0)")
+            elif v.rule == "require_info_description":
+                steps.append("Add description field under info section")
+            elif v.rule == "require_security_definition":
+                steps.append("Define security schemes in components.securitySchemes")
+            elif v.rule == "require_https_only":
+                steps.append("Update all server URLs to use HTTPS")
+            elif v.rule == "max_path_depth":
+                steps.append("Simplify API paths to reduce nesting depth")
+        
+        remediation = Remediation(
+            summary="Fix policy violations to ensure API compliance",
+            steps=steps,
+            documentation="https://docs.delimit.ai/policy-rules"
+        )
+    
+    return PolicyComplianceEvidence(
+        task="check-policy",
+        task_version="1.0",
+        decision=decision,
+        exit_code=exit_code,
+        violations=violations,
+        evidence=evidence_list,
+        remediation=remediation,
+        summary=summary,
+        correlation_id=request.correlation_id,
+        metrics={
+            "files_checked": len(request.spec_files),
+            "rules_checked": checks_performed,
+            "rules_passed": checks_passed,
+            "violations": len(violations)
+        },
+        compliance_score=compliance_score,
+        policy_version="1.0",
+        checks_performed=checks_performed,
+        checks_passed=checks_passed
+    )
+
+
+def check_rule(rule_name: str, spec: Dict, policy: Dict) -> tuple[bool, Violation]:
+    """Check a specific rule - ONLY for implemented rules"""
+    
+    severity_map = policy.get("severity", {})
+    
+    if rule_name == "require_openapi_version":
+        if "openapi" in spec or "swagger" in spec:
+            return True, None
+        return False, Violation(
+            rule=rule_name,
+            severity=ViolationSeverity(severity_map.get(rule_name, "high")),
+            message="API specification must include OpenAPI version",
+            details={"missing": "openapi field"}
+        )
+    
+    elif rule_name == "require_info_description":
+        if spec.get("info", {}).get("description"):
+            return True, None
+        return False, Violation(
+            rule=rule_name,
+            severity=ViolationSeverity(severity_map.get(rule_name, "low")),
+            message="API must have a description in info section",
+            details={"missing": "info.description"}
+        )
+    
+    elif rule_name == "require_security_definition":
+        has_security = (
+            spec.get("security") or 
+            spec.get("securityDefinitions") or 
+            spec.get("components", {}).get("securitySchemes")
+        )
+        if has_security:
+            return True, None
+        return False, Violation(
+            rule=rule_name,
+            severity=ViolationSeverity(severity_map.get(rule_name, "high")),
+            message="API must define security schemes",
+            details={"missing": "security definitions"}
+        )
+    
+    elif rule_name == "require_https_only":
+        servers = spec.get("servers", [])
+        if not servers:
+            return True, None  # No servers defined, pass by default
+        
+        non_https = [s for s in servers if not s.get("url", "").startswith("https://")]
+        if non_https:
+            return False, Violation(
+                rule=rule_name,
+                severity=ViolationSeverity(severity_map.get(rule_name, "high")),
+                message=f"All servers must use HTTPS ({len(non_https)} use HTTP)",
+                details={"non_https_count": str(len(non_https))}
+            )
+        return True, None
+    
+    elif rule_name == "max_path_depth":
+        max_depth = policy.get("rules", {}).get("max_path_depth", 5)
+        violations_found = []
+        
+        if "paths" in spec:
+            for path in spec["paths"]:
+                depth = len([p for p in path.split("/") if p])
+                if depth > max_depth:
+                    violations_found.append(path)
+        
+        if violations_found:
+            return False, Violation(
+                rule=rule_name,
+                severity=ViolationSeverity(severity_map.get(rule_name, "medium")),
+                message=f"Paths exceed max depth of {max_depth}",
+                path=violations_found[0],
+                details={"paths_over_limit": str(len(violations_found))}
+            )
+        return True, None
+    
+    # Unknown rule - should never happen with IMPLEMENTED_RULES filter
+    return True, None
+
+
+def get_default_policy() -> Dict:
+    """Get default policy with ONLY implemented rules"""
+    return {
+        "rules": {
+            "require_openapi_version": True,
+            "require_info_description": True,
+            "require_security_definition": True,
+            "require_https_only": True,
+            "max_path_depth": 5
+        },
+        "severity": {
+            "require_openapi_version": "high",
+            "require_info_description": "low",
+            "require_security_definition": "high",
+            "require_https_only": "high",
+            "max_path_depth": "medium"
+        }
+    }
+
+
+def load_spec(file_path: str) -> Dict:
+    """Load API specification"""
+    path = Path(file_path)
+    with path.open('r') as f:
+        if path.suffix in ['.yaml', '.yml']:
+            return yaml.safe_load(f)
+        else:
+            return json.load(f)
+
+
+def load_policy(policy_path: str) -> Dict:
+    """Load policy rules from file"""
+    path = Path(policy_path)
+    with path.open('r') as f:
+        return yaml.safe_load(f)

package/gateway/tasks/check_policy_v3.py

@@ -0,0 +1,255 @@
+"""
+Check Policy task with Evidence Contract - V12 Final
+ONLY enforces implemented rules with Pydantic v2
+"""
+
+import yaml
+import json
+from typing import Dict, List
+from pathlib import Path
+
+from core.registry_v3 import task_registry
+from schemas.requests_v2 import CheckPolicyRequest
+from schemas.evidence import (
+    PolicyComplianceEvidence, Decision, Violation, ViolationSeverity,
+    Evidence, Remediation
+)
+
+
+# ONLY rules we actually implement
+IMPLEMENTED_RULES = {
+    "require_openapi_version",
+    "require_info_description", 
+    "require_security_definition",
+    "require_https_only",
+    "max_path_depth"
+}
+
+
+@task_registry.register("check-policy", task_version="1.0", description="Check API against implemented policy rules")
+def check_policy_handler(request: CheckPolicyRequest) -> PolicyComplianceEvidence:
+    """Validate API spec against ACTUALLY IMPLEMENTED policy rules"""
+    
+    # Get policy - either from file, inline, or defaults
+    if request.policy_file:
+        policy = load_policy(request.policy_file)
+    elif request.policy_inline:
+        policy = request.policy_inline
+    else:
+        policy = get_default_policy()
+    
+    violations = []
+    evidence_list = []
+    checks_performed = 0
+    checks_passed = 0
+    
+    # Process each spec file
+    for spec_file in request.spec_files:
+        spec = load_spec(spec_file)
+        
+        # ONLY check rules we actually implement
+        for rule_name in IMPLEMENTED_RULES:
+            if not policy.get("rules", {}).get(rule_name, False):
+                continue  # Rule not enabled in policy
+            
+            checks_performed += 1
+            rule_passed, violation = check_rule(rule_name, spec, policy)
+            
+            if rule_passed:
+                checks_passed += 1
+                evidence_list.append(Evidence(
+                    rule=rule_name,
+                    passed=True,
+                    details={"file": spec_file, "status": "passed"}
+                ))
+            else:
+                violations.append(violation)
+                evidence_list.append(Evidence(
+                    rule=rule_name,
+                    passed=False,
+                    details={"file": spec_file, "reason": violation.message}
+                ))
+    
+    # Calculate compliance score
+    compliance_score = int((checks_passed / checks_performed * 100)) if checks_performed > 0 else 100
+    
+    # Determine decision
+    if violations:
+        high_severity = any(v.severity == ViolationSeverity.HIGH for v in violations)
+        if high_severity:
+            decision = Decision.FAIL
+            exit_code = 1
+        else:
+            decision = Decision.WARN
+            exit_code = 0
+    else:
+        decision = Decision.PASS
+        exit_code = 0
+    
+    # Build summary
+    if decision == Decision.PASS:
+        summary = f"Policy check passed: All {checks_performed} checks passed"
+    elif decision == Decision.WARN:
+        summary = f"Policy check passed with warnings: {len(violations)} low-severity issues"
+    else:
+        summary = f"Policy check failed: {len(violations)} violations found"
+    
+    # Build remediation
+    remediation = None
+    if violations:
+        steps = []
+        for v in violations[:3]:  # Show top 3 violations
+            if v.rule == "require_openapi_version":
+                steps.append("Add 'openapi' field with version (e.g., openapi: 3.0.0)")
+            elif v.rule == "require_info_description":
+                steps.append("Add description field under info section")
+            elif v.rule == "require_security_definition":
+                steps.append("Define security schemes in components.securitySchemes")
+            elif v.rule == "require_https_only":
+                steps.append("Update all server URLs to use HTTPS")
+            elif v.rule == "max_path_depth":
+                steps.append("Simplify API paths to reduce nesting depth")
+        
+        remediation = Remediation(
+            summary="Fix policy violations to ensure API compliance",
+            steps=steps,
+            documentation="https://docs.delimit.ai/policy-rules"
+        )
+    
+    return PolicyComplianceEvidence(
+        task="check-policy",
+        task_version="1.0",
+        decision=decision,
+        exit_code=exit_code,
+        violations=violations,
+        evidence=evidence_list,
+        remediation=remediation,
+        summary=summary,
+        correlation_id=request.correlation_id,
+        metrics={
+            "files_checked": len(request.spec_files),
+            "rules_checked": checks_performed,
+            "rules_passed": checks_passed,
+            "violations": len(violations)
+        },
+        compliance_score=compliance_score,
+        policy_version="1.0",
+        checks_performed=checks_performed,
+        checks_passed=checks_passed
+    )
+
+
+def check_rule(rule_name: str, spec: Dict, policy: Dict) -> tuple[bool, Violation]:
+    """Check a specific rule - ONLY for implemented rules"""
+    
+    severity_map = policy.get("severity", {})
+    
+    if rule_name == "require_openapi_version":
+        if "openapi" in spec or "swagger" in spec:
+            return True, None
+        return False, Violation(
+            rule=rule_name,
+            severity=ViolationSeverity(severity_map.get(rule_name, "high")),
+            message="API specification must include OpenAPI version",
+            details={"missing": "openapi field"}
+        )
+    
+    elif rule_name == "require_info_description":
+        if spec.get("info", {}).get("description"):
+            return True, None
+        return False, Violation(
+            rule=rule_name,
+            severity=ViolationSeverity(severity_map.get(rule_name, "low")),
+            message="API must have a description in info section",
+            details={"missing": "info.description"}
+        )
+    
+    elif rule_name == "require_security_definition":
+        has_security = (
+            spec.get("security") or 
+            spec.get("securityDefinitions") or 
+            spec.get("components", {}).get("securitySchemes")
+        )
+        if has_security:
+            return True, None
+        return False, Violation(
+            rule=rule_name,
+            severity=ViolationSeverity(severity_map.get(rule_name, "high")),
+            message="API must define security schemes",
+            details={"missing": "security definitions"}
+        )
+    
+    elif rule_name == "require_https_only":
+        servers = spec.get("servers", [])
+        if not servers:
+            return True, None  # No servers defined, pass by default
+        
+        non_https = [s for s in servers if not s.get("url", "").startswith("https://")]
+        if non_https:
+            return False, Violation(
+                rule=rule_name,
+                severity=ViolationSeverity(severity_map.get(rule_name, "high")),
+                message=f"All servers must use HTTPS ({len(non_https)} use HTTP)",
+                details={"non_https_count": str(len(non_https))}
+            )
+        return True, None
+    
+    elif rule_name == "max_path_depth":
+        max_depth = policy.get("rules", {}).get("max_path_depth", 5)
+        violations_found = []
+        
+        if "paths" in spec:
+            for path in spec["paths"]:
+                depth = len([p for p in path.split("/") if p])
+                if depth > max_depth:
+                    violations_found.append(path)
+        
+        if violations_found:
+            return False, Violation(
+                rule=rule_name,
+                severity=ViolationSeverity(severity_map.get(rule_name, "medium")),
+                message=f"Paths exceed max depth of {max_depth}",
+                path=violations_found[0],
+                details={"paths_over_limit": str(len(violations_found))}
+            )
+        return True, None
+    
+    # Unknown rule - should never happen with IMPLEMENTED_RULES filter
+    return True, None
+
+
+def get_default_policy() -> Dict:
+    """Get default policy with ONLY implemented rules"""
+    return {
+        "rules": {
+            "require_openapi_version": True,
+            "require_info_description": True,
+            "require_security_definition": True,
+            "require_https_only": True,
+            "max_path_depth": 5
+        },
+        "severity": {
+            "require_openapi_version": "high",
+            "require_info_description": "low",
+            "require_security_definition": "high",
+            "require_https_only": "high",
+            "max_path_depth": "medium"
+        }
+    }
+
+
+def load_spec(file_path: str) -> Dict:
+    """Load API specification"""
+    path = Path(file_path)
+    with path.open('r') as f:
+        if path.suffix in ['.yaml', '.yml']:
+            return yaml.safe_load(f)
+        else:
+            return json.load(f)
+
+
+def load_policy(policy_path: str) -> Dict:
+    """Load policy rules from file"""
+    path = Path(policy_path)
+    with path.open('r') as f:
+        return yaml.safe_load(f)