agentirc-cli 0.19.0__tar.gz → 0.20.1__tar.gz

agentirc_cli-0.20.1/.flake8

@@ -0,0 +1,19 @@
+[flake8]
+max-line-length = 100
+exclude =
+    .git,
+    __pycache__,
+    .venv,
+    dist,
+    build,
+    .eggs,
+    packages
+extend-ignore =
+    E203,
+    W503,
+    S101
+per-file-ignores =
+    agentirc/credentials.py:S603,S607
+    agentirc/persistence.py:S603,S607
+    agentirc/cli.py:S603,S607
+    tests/*:S101

agentirc_cli-0.20.1/.github/workflows/security-checks.yml

@@ -0,0 +1,84 @@
+name: Security Checks
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sunday at midnight
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  security-scans:
+    name: Security Scans
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: astral-sh/setup-uv@v4
+
+      - run: uv python install 3.12
+
+      - run: uv sync
+
+      - name: Run Bandit
+        run: uv run bandit -r agentirc/ -f json -o bandit-results.json -c pyproject.toml
+        continue-on-error: true
+
+      - name: Run Pylint
+        run: uv run pylint agentirc/ --rcfile=.pylintrc --output-format=json:pylint-results.json,text
+        continue-on-error: true
+
+      - name: Run Safety dependency check
+        run: uv run safety check --full-report --output json > safety-results.json
+        continue-on-error: true
+
+      - name: Upload Security Results
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-results
+          path: |
+            bandit-results.json
+            pylint-results.json
+            safety-results.json
+
+      - name: Run test coverage
+        run: |
+          uv run pytest --cov=agentirc --cov-report=xml:coverage.xml --cov-report=term -v
+        continue-on-error: true
+
+  dependency-review:
+    name: Dependency Review
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+
+  codeql-analysis:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

{agentirc_cli-0.19.0 → agentirc_cli-0.20.1}/.gitignore

@@ -206,6 +206,12 @@ marimo/_static/
 marimo/_lsp/
 __marimo__/
 
+# Security scan reports
+bandit-results.json
+pylint-results.json
+safety-results.json
+.sonar/
+
 # Superpowers & worktrees
 .superpowers/
 .worktrees/

agentirc_cli-0.20.1/.pre-commit-config.yaml

@@ -0,0 +1,42 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: trailing-whitespace
+  - id: end-of-file-fixer
+  - id: check-yaml
+  - id: check-added-large-files
+  - id: check-ast
+  - id: detect-private-key
+
+- repo: local
+  hooks:
+  - id: flake8
+    name: flake8
+    entry: uv run flake8 --config=.flake8
+    language: system
+    types: [python]
+
+  - id: isort
+    name: isort
+    entry: uv run isort
+    language: system
+    types: [python]
+
+  - id: black
+    name: black
+    entry: uv run black
+    language: system
+    types: [python]
+
+  - id: bandit
+    name: bandit
+    entry: uv run bandit -c pyproject.toml
+    language: system
+    types: [python]
+
+  - id: pylint
+    name: pylint
+    entry: uv run pylint --rcfile=.pylintrc
+    language: system
+    types: [python]

agentirc_cli-0.20.1/.pylintrc

@@ -0,0 +1,77 @@
+[MASTER]
+ignore=CVS
+persistent=yes
+load-plugins=
+
+[MESSAGES CONTROL]
+disable=
+    C0114,  # missing-module-docstring
+    C0115,  # missing-class-docstring
+    C0116,  # missing-function-docstring
+    C0301,  # line-too-long (handled by black)
+    C0303,  # trailing-whitespace
+    R0801,  # duplicate-code (assimilai pattern: backends share identical files)
+    R0903,  # too-few-public-methods
+    R0913,  # too-many-arguments
+    W0511,  # fixme
+    W0718,  # broad-exception-caught (async server/daemon must catch broadly)
+    W0719,  # broad-exception-raised
+    W1202,  # logging-format-interpolation
+    W1203,  # logging-fstring-interpolation
+
+[REPORTS]
+output-format=text
+reports=yes
+evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
+
+[VARIABLES]
+init-import=no
+dummy-variables-rgx=_$|dummy
+
+[FORMAT]
+max-line-length=100
+ignore-long-lines=^\s*(# )?<?https?://\S+>?$
+single-line-if-stmt=no
+indent-string='    '
+max-module-lines=1000
+
+[SIMILARITIES]
+min-similarity-lines=8
+ignore-comments=yes
+ignore-docstrings=yes
+ignore-imports=yes
+
+[BASIC]
+good-names=i,j,k,ex,Run,_,e,f,fd,ws,ts,ok,ch,ip,op
+bad-names=foo,bar,baz,toto,tutu,tata
+function-rgx=[a-z_][a-z0-9_]{2,50}$
+variable-rgx=[a-z_][a-z0-9_]{1,30}$
+const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$
+attr-rgx=[a-z_][a-z0-9_]{1,30}$
+argument-rgx=[a-z_][a-z0-9_]{1,30}$
+class-rgx=[A-Z_][a-zA-Z0-9]+$
+inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
+no-docstring-rgx=^_
+
+[DESIGN]
+max-args=10
+ignored-argument-names=_.*
+max-locals=15
+max-returns=6
+max-branches=12
+max-statements=50
+max-parents=7
+max-attributes=15
+min-public-methods=2
+max-public-methods=20
+
+[CLASSES]
+defining-attr-methods=__init__,__new__,setUp
+valid-classmethod-first-arg=cls
+valid-metaclass-classmethod-first-arg=mcs
+
+[IMPORTS]
+deprecated-modules=regsub,TERMIOS,Bastion,rexec
+
+[EXCEPTIONS]
+overgeneral-exceptions=builtins.BaseException

{agentirc_cli-0.19.0 → agentirc_cli-0.20.1}/CHANGELOG.md

@@ -4,6 +4,34 @@ All notable changes to this project will be documented in this file.
 
 Format follows [Keep a Changelog](https://keepachangelog.com/).
 
+## [0.20.1] - 2026-04-03
+
+
+### Changed
+
+- SonarCloud uses Automatic Analysis instead of CI-based scanning — removes conflict and simplifies workflow
+
+### Fixed
+
+- Remove SonarCloud CI step that conflicted with Automatic Analysis
+
+## [0.20.0] - 2026-04-03
+
+
+### Added
+
+- Bandit SAST security scanning
+- Pylint static code analysis
+- Safety dependency vulnerability scanning
+- CodeQL semantic analysis (GitHub-native)
+- SonarCloud code quality and security integration
+- Pre-commit hooks (flake8+bandit+bugbear, isort, black, pylint, detect-private-key)
+- Security CI workflow (security-checks.yml)
+- Dependency Review on PRs (fails on high severity)
+- SECURITY.md vulnerability disclosure policy
+- docs/SECURITY.md contributor security guidelines
+- Code coverage enforcement in CI
+
 ## [0.19.0] - 2026-04-03
 
 

{agentirc_cli-0.19.0 → agentirc_cli-0.20.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentirc-cli
-Version: 0.19.0
+Version: 0.20.1
 Summary: 🌱 The space your agents deserve — an autonomous agent mesh where AI agents live, collaborate, and grow
 Project-URL: Homepage, https://github.com/OriNachum/agentirc
 Author: Ori Nachum

agentirc_cli-0.20.1/SECURITY.md

@@ -0,0 +1,39 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in AgentIRC, please report it responsibly.
+
+**Do not** open a public GitHub issue for security vulnerabilities.
+
+### How to Report
+
+Please report security issues privately using one of the following methods:
+
+- **GitHub Security Advisories**: [Report a vulnerability privately](../../security/advisories/new)
+- **Email**: Contact the maintainer directly
+
+Include:
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- The potential impact
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Fix timeline**: Within 7 days of acknowledgment
+- **Disclosure**: Coordinated with the reporter after a fix is available
+
+## Security Measures
+
+This project uses automated security scanning:
+
+- **Bandit** — Python security vulnerability detection
+- **Pylint** — Static code analysis
+- **CodeQL** — GitHub-native semantic analysis
+- **SonarCloud** — Comprehensive code quality and security
+- **Safety** — Dependency vulnerability scanning
+- **Dependency Review** — PR-level dependency checks
+
+See [docs/SECURITY.md](docs/SECURITY.md) for full details on the security toolchain and contributor guidelines.

agentirc_cli-0.20.1/docs/SECURITY.md

@@ -0,0 +1,113 @@
+---
+title: Security
+nav_order: 7
+---
+
+# Security Scanning Setup
+
+This project uses multiple security scanning tools to ensure code quality and security.
+
+## Automated Security Scans
+
+The following security checks run automatically on pushes to main, pull requests, and weekly:
+
+### Bandit
+
+[Bandit](https://bandit.readthedocs.io/) finds common security issues in Python code.
+
+- Results are available as GitHub workflow artifacts
+- Configuration in `pyproject.toml` under `[tool.bandit]`
+- Suppressed checks: B101 (assert in daemon code), B104 (bind all interfaces — required for IRC server)
+
+### Pylint
+
+[Pylint](https://www.pylint.org/) performs static code analysis for programming errors and coding standards.
+
+- Configuration in `.pylintrc`
+- Results are available as GitHub workflow artifacts
+- Duplicate-code detection (R0801) is disabled due to the assimilai pattern (4 backends share identical files by design)
+
+### SonarCloud
+
+[SonarCloud](https://sonarcloud.io/) provides comprehensive code quality and security analysis.
+
+- Uses **Automatic Analysis** (SonarCloud-managed, not CI-based) — scans `main` and PRs automatically
+- Configuration in `sonar-project.properties`
+- Results available in the [SonarCloud dashboard](https://sonarcloud.io/summary/overall?id=OriNachum_AgentIRC)
+
+### CodeQL
+
+GitHub-native semantic code analysis runs on every push and PR. Results appear in the repository's Security tab.
+
+### Safety
+
+[Safety](https://safetycli.com/) scans dependencies for known vulnerabilities. Results are uploaded as workflow artifacts.
+
+### Dependency Review
+
+On pull requests, GitHub's Dependency Review action checks for newly introduced vulnerable dependencies. Fails on high-severity vulnerabilities.
+
+## Local Development Setup
+
+### Pre-commit Hooks
+
+To run security checks automatically before each commit:
+
+```bash
+uv run pre-commit install
+```
+
+The hooks will now run on each commit. To run all hooks manually:
+
+```bash
+uv run pre-commit run --all-files
+```
+
+### Manual Security Scanning
+
+Run tools individually:
+
+```bash
+# Bandit — security vulnerability detection
+uv run bandit -r agentirc/ -c pyproject.toml
+
+# Pylint — code quality and error detection
+uv run pylint agentirc/ --rcfile=.pylintrc
+
+# Flake8 — style and security linting (includes bandit + bugbear plugins)
+uv run flake8 agentirc/ --config=.flake8
+
+# Safety — dependency vulnerability check
+uv run safety check
+
+# Coverage — test coverage report
+uv run pytest --cov=agentirc --cov-report=term
+```
+
+## Security Best Practices
+
+When contributing to this project:
+
+1. **No Hardcoded Secrets** — Use OS-native credential stores (see `agentirc/credentials.py`). Never commit passwords, API keys, or tokens.
+2. **Input Validation** — Validate and sanitize all external input, especially IRC protocol messages.
+3. **Subprocess Safety** — Use `subprocess.run()` with explicit argument lists. Never use `shell=True`.
+4. **Error Handling** — Catch specific exceptions where possible. Broad `except Exception` is acceptable in async daemon loops to prevent crashes, but log the error.
+5. **Secure Dependencies** — Keep dependencies updated. The Safety check in CI flags known vulnerabilities.
+6. **Federation Trust** — Respect the trust model: `+R` (local only) and `+S <server>` (selective sharing). Never relay messages that violate channel access control.
+
+## Reporting Security Issues
+
+If you discover a security vulnerability, please do **not** open a public issue.
+
+Report privately using one of:
+
+- **GitHub Security Advisories**: [Report a vulnerability](https://github.com/OriNachum/AgentIRC/security/advisories/new)
+- **Email**: Contact the maintainer directly
+
+Include:
+
+- Description of the vulnerability
+- Steps to reproduce
+- Impact assessment
+
+We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.

{agentirc_cli-0.19.0 → agentirc_cli-0.20.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "agentirc-cli"
-version = "0.19.0"
+version = "0.20.1"
 description = "🌱 The space your agents deserve — an autonomous agent mesh where AI agents live, collaborate, and grow"
 readme = "README.md"
 license = "MIT"
@@ -48,4 +48,43 @@ copilot = ["github-copilot-sdk"]
 dev = [
     "pytest>=8.0",
     "pytest-asyncio>=0.25",
+    "pytest-cov>=4.1",
+    "bandit>=1.7.5",
+    "pylint>=2.17.0",
+    "flake8>=6.1",
+    "flake8-bandit>=4.1.1",
+    "flake8-bugbear>=23.7.10",
+    "coverage>=7.2.0",
+    "safety>=2.3.0",
+    "pre-commit>=3.5.0",
+    "isort>=5.12.0",
+    "black>=23.7.0",
 ]
+
+[tool.coverage.run]
+source = ["agentirc"]
+omit = [
+    "agentirc/__pycache__/*",
+]
+
+[tool.coverage.report]
+fail_under = 50
+show_missing = true
+exclude_lines = [
+    "pragma: no cover",
+    "if __name__ == .__main__.",
+    "if TYPE_CHECKING:",
+]
+
+[tool.isort]
+profile = "black"
+line_length = 100
+known_first_party = ["agentirc"]
+
+[tool.black]
+line-length = 100
+target-version = ["py312"]
+
+[tool.bandit]
+exclude_dirs = ["tests", "packages"]
+skips = ["B101", "B104"]

agentirc_cli-0.20.1/sonar-project.properties

@@ -0,0 +1,27 @@
+sonar.projectKey=OriNachum_AgentIRC
+sonar.projectName=AgentIRC
+sonar.projectVersion=0.20.1
+
+# Path to source directories
+sonar.sources=agentirc
+sonar.tests=tests
+
+# Language
+sonar.language=python
+sonar.python.version=3.12
+
+# Encoding of the source files
+sonar.sourceEncoding=UTF-8
+
+# Python coverage report
+sonar.python.coverage.reportPaths=coverage.xml
+
+# Exclude patterns
+sonar.exclusions=**/packages/**,**/__pycache__/**,**/test_*.py
+
+# Security-related settings
+sonar.python.bandit.reportPaths=bandit-results.json
+sonar.python.pylint.reportPaths=pylint-results.json
+
+# Quality gate configuration
+sonar.qualitygate.wait=true